The auditctl man page for audit-1.0.14-1EL4 says the following (which
appears to be incorrect):
To see unsuccessful open calls's:
auditctl -a exit,always -S open -F success!=0
but an email you sent out a bit ago says this:
>> If you wanted all unsuccessful opens, I'd rewrite as:
>>
>> -a exit,always -S open -F success!=1
This makes a lot more sense, and I assume that this is the correct
syntax. You might want to check to see if this has already been
corrected in the man pages for upcoming releases.
I was hoping that this setting by itself (-a exit,always -S open -F
success!=1) would show me any failed file opens on the whole machine,
so I don't understand why I don't get any audit events with this
configuration. I thought that maybe I also have to have a watch set on
a file, then tell auditd which events I want to collect with the "-a
exit,always -S open -F success!=1" setting, but that didn't do it
either. Here's what I was testing
/etc/audit.rules :
-D
-w /etc/nsswitch.conf -rwxa
-a exit,always -S open -F success!=1
Then
service auditd reload
service auditd rotate
autail -f /var/log/audit/audit.log
Then in another window, as a non-prived user
rm /etc/nsswitch.conf
cat /dev/null > /etc/nsswitch.conf
chown karen /etc/nsswitch.conf
chmod 777 /etc/nsswitch.conf
cat somefile >> /etc/nsswitch.conf
I get lots of permission denied messages at the command line, but
nothing in the audit log relating to karen messing around with
/etc/nsswitch.conf.
I must still be missing some basic understanding of how this all works.
Any helpful suggestions would be greatly appreciated.
Karen Wieprecht
Thanks,
Karen Wieprecht
--
Linux-audit mailing list
[email protected]
https://www.redhat.com/mailman/listinfo/linux-audit
