On Monday 18 August 2008 15:39:01 Brian LaMere wrote: > (boo for me not hitting reply-all before) > > Fair enough, was just basing from the man page which says: > > " To see unsuccessful open call's: > > auditctl -a exit,always -S open -F success!=0"
I think that was patched at some point. The current man page in svn is right. But I think I should touch it up a bit. > Note that I actually got the line from the DoD requirements, which give > that line - if that line isn't present, then they determine that "the > audit system is not configured to audit failed attempts to access files > and programs." The recent versions of the audit system ships with a stig.rules file that give what I believe to be a correct rule set. What the official docs say to do is another thing. :) Take a look at that file and see how I do the unauthorized file access. HTH -Steve -- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
