From: "Mike Nixon" <mnixxon@gmail.com>
To: 'Paul Whitney' <paul.whitney@mac.com>, linux-audit@redhat.com
Subject: RE: AUDIT Rules
Date: Thu, 24 May 2007 19:31:08 -0400 [thread overview]
Message-ID: <005101c79e5b$9bb8f1b0$3301a8c0@Rascal> (raw)
In-Reply-To: <C27A0890.1E30%paul.whitney@mac.com>
Change the word possible to always and restart your auditd daemon.
i.e.
-a exit,always -S chmod -F success=0 -F success!=0
-a exit,always -S fchmod -F success=0 -F success!=0
Mike Nixon, CISSP
LTC Engineering Assoc.
nixon@ltceng.com
-----Original Message-----
From: linux-audit-bounces@redhat.com [mailto:linux-audit-bounces@redhat.com]
On Behalf Of Paul Whitney
Sent: Wednesday, May 23, 2007 3:05 PM
To: linux-audit@redhat.com
Subject: AUDIT Rules
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Can someone tell me what is the correct syntax for successfully or failing
to modify a file using the chmod command? I have :
- -a exit,possible -S chmod -F success=0 -F success!=0
- -a exit,possible -S fchmod -F success=0 -F success!=0
But I am not able to audit the event. As a regular user I try to change the
permissions of /etc/shadow. The action fails (as expected) but does not get
audited.
Any suggestions is greatly appreciated.
Paul Whitney
Information Systems Solutions
paul.whitney@mac.com
-----BEGIN PGP SIGNATURE-----
Version: PGP Desktop 9.0.6 (Build 6060)
iQEVAwUBRlSQSbdVg+viRqgEAQjJTAf8CHUY4lQMv7tJrdseTqe/l2n1oFwu8GNr
xrIPab5+iQtRWk4OwwOnmifz1yZRyA+tO+W0hXc7UFn5c1J8YKFooAYEiTK/DvBI
oE4Aeme5QDIW4MN/quq8qOeKieMUDr2oPt3ZqVW6F9u/pF/dlUaQ5OvdSchtdfLw
iYMsd2rS5xtUVa0fDYEsQqz6AAaKbpuBCa6+ksxWTnPOCjYec0jpVpT3unFLA7G3
FK34zc5nfzuGimEtPb3wGvZv32wPyDDV8aD/ghw9kBYT3Fobd4LF6ZT89MbWSlja
I5HW38q8elNn6an3FjWo+UV9r47tuMteIuFUatwed47yR/58xizoEg==
=yBwv
-----END PGP SIGNATURE-----
--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit
No virus found in this incoming message.
Checked by AVG Free Edition.
Version: 7.5.467 / Virus Database: 269.8.0/817 - Release Date: 5/24/2007
4:01 PM
No virus found in this outgoing message.
Checked by AVG Free Edition.
Version: 7.5.467 / Virus Database: 269.8.0/817 - Release Date: 5/24/2007
4:01 PM
prev parent reply other threads:[~2007-05-24 23:31 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2007-05-23 19:04 AUDIT Rules Paul Whitney
2007-05-23 19:10 ` Steve Grubb
2007-05-24 13:03 ` Curtis, TS Troy @ IS
2007-05-24 23:31 ` Mike Nixon [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='005101c79e5b$9bb8f1b0$3301a8c0@Rascal' \
--to=mnixxon@gmail.com \
--cc=linux-audit@redhat.com \
--cc=paul.whitney@mac.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.