On Wednesday 21 February 2007 21:48, Walt Powell wrote: > I have a requirement to audit/log all failed attempts to access files.
If you are on x86_64, I think you'll need a new kernel. There was a problem in exit codes and sign extention during promotion. > I entered the following line in audit.rules: > > -w exit,always -S open -F success!=0 > > and audit flags all file exits regardless of success. See below. I think you can get this with 2 rules until you can update your kernel. > When I try: > > -w exit,possible -S open -F success!=0 > > it does NOT flag any file openings, including failure. Possible only collects information so that if another rule actually triggers an event, it has everything on hand to give a full context dump. Generally, you do not need "possible" rules. > I am curious if: > > -w exit,never -S open -F success=0 > > but I suspect that the 'first hit takes it' nature of audit-1.0.12 will > make the flag at the end useless. Yes, but you should be able to follow that rule with: -w exit,always -S open which means the success !=0 case hits the second rule. > So I suppose the question is - do I need to put the -F flag before the -w > portion of the entry, or is there some other way to meet the requirement? No, you have to use syscall auditing for this and not watches. -Steve -- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
