On Wed, 27 Jun 2007 19:42:39 +0200, Aaron Lippold said: > # Audit Failed opens > -a exit,always -S open -F success!=0
Note that a *lot* of programs will attempt to open optional config files, and happily go on their merry way when they get an -ENOENT leaving an audit entry for you to drown in. I just tested the venerable 'xfontsel', and at one point, it generated *12* -ENOENT in a row looking for a bitmap for a cursor before finding one it liked. The next 3 cursors only needed 9, 10, and 8 failed attempts before it found one. > # Audit success and failure of delete > -a exit,always -S unlink -S rmdir That's going to be really painful on any system that does software development, as your average compile generates a lot of temporary files that get unlinked. You may want to investigate whether it's feasible to ignore unlinks in /tmp.
pgpzsMdScmDRC.pgp
Description: PGP signature
-- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
