Hello, I need to log file edit attempts when a user doesn't have permission to edit a specific file. For example, a non-root user attempts to edit "/var/log/audit/audit'log" which has a permission setting of 640. Although the user won't be able to edit the file (permission denied) - I'd still like to log the attempt. Here's a snippet of my audit.rules file: ## unsuccessful creation
-a exit,always -S creat -S mkdir -S mknod -S link -S symlink -F exit=-13 -k creation -a exit,always -S mkdirat -S mknodat -S linkat -S symlinkat -F exit=-13 -k creation ## unsuccessful open -a exit,always -S open -F exit=-13 -k open ## unsuccessful close -a exit,always -S close -F exit=-13 -k close ## unsuccessful modifications -a exit,always -S rename -S truncate -S ftruncate -F exit=-13 -k mods -a exit,always -S renameat -F exit=-13 -k mods ## unsuccessful deletion -a exit,always -S rmdir -S unlink -F exit=-13 -k delete -a exit,always -S unlinkat -F exit=-13 -k delete ## unauthorized change directory (cd) -a exit,always -S chdir -F path=/var/log/audit -k evil2-cd ## Watch Files -w /var/log/audit/audit.log -p rwxa -k audit-log2 Thanks -Jim
-- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
