Hello all:
I have a requirement to audit/log all failed attempts to access files. I
entered the following line in audit.rules:
-w exit,always -S open -F success!=0
and audit flags all file exits regardless of success. When I try:
-w exit,possible -S open -F success!=0
it does NOT flag any file openings, including failure. I am curious if:
-w exit,never -S open -F success=0
but I suspect that the 'first hit takes it' nature of audit-1.0.12 will make
the flag at the end useless.
So I suppose the question is - do I need to put the -F flag before the -w
portion of the entry, or is there some other way to meet the requirement?
Thank you all for any insight.
--
Linux-audit mailing list
[email protected]
https://www.redhat.com/mailman/listinfo/linux-audit
