On Thursday 11 January 2007 14:18, Wieprecht, Karen M. wrote: > This makes a lot more sense, and I assume that this is the correct > syntax.
And its easy to determine empirically. :) > You might want to check to see if this has already been > corrected in the man pages for upcoming releases. hmm...I'll check, thanks. > I was hoping that this setting by itself (-a exit,always -S open -F > success!=1) would show me any failed file opens on the whole machine, It does for me. > so I don't understand why I don't get any audit events with this > configuration. What arch are you on? > /etc/audit.rules : > > -D > -w /etc/nsswitch.conf -rwxa > -a exit,always -S open -F success!=1 You do not need both. The last rule by itself should do it. > service auditd reload > service auditd rotate > autail -f /var/log/audit/audit.log I don't use autail. I run ausearch to check results. > Then in another window, as a non-prived user > rm /etc/nsswitch.conf > cat /dev/null > /etc/nsswitch.conf > chown karen /etc/nsswitch.conf > chmod 777 /etc/nsswitch.conf > cat somefile >> /etc/nsswitch.conf > > I get lots of permission denied messages at the command line, but > nothing in the audit log relating to karen messing around with > /etc/nsswitch.conf. Are your using ausearch or autail? -Steve -- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
