On Wednesday 18 July 2007 05:46:40 pm Ameel Kamboh wrote: > I would like to put a watch on a file for rwxa for a > File being accessed by someone who is not in the same group as the file. > > Can this be done using an audit rule?
On RHEL5 or 2.6.19 or higher: auditctl -a exit,always -S all -F perm=rwxa -F gid!=root -F path=/etc/localtime -k gid-rule and to see results: ausearch --start today -k gid-rule The only limitation is that you need to know the group beforehand. -Steve -- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
