I believe it is important to also not that the field values: -F success=0 -F success!=0
Effectively disable the rule. A rule is generated if ALL the expressions match. This set of rules says "generate an event when the call is BOTH successful AND unsuccessful" which of course cannot happen. If your desire to have all chmod and fchmod calls, both successful and unsuccessful, just leave off the '-F' fields. Note that Steve's rule only monitors *unsuccessful* chmod and fchmod calls. Troy Curtis, Jr. -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Steve Grubb Sent: Wednesday, May 23, 2007 2:10 PM To: [email protected] Subject: Re: AUDIT Rules On Wednesday 23 May 2007 15:04, Paul Whitney wrote: > -a exit,possible -S chmod -F success=0 -F success!=0 -a exit,possible > -S fchmod -F success=0 -F success!=0 -a exit,always -S chmod -S fchmod -F success=0 You can combine the syscalls into 1 rule. -Steve -- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit -- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
