From mboxrd@z Thu Jan  1 00:00:00 1970
From: Marcus Meissner <meissner@suse.de>
Subject: Re: auditd/auditctl SLED10
Date: Fri, 21 Jul 2006 08:02:41 +0200
Message-ID: <20060721060241.GA11979@suse.de>
References: <44BF8E4F.3000405@ornl.gov> <44BF9F0D.5010204@hp.com>
	<1153424647.7866.11.camel@willipl1-ld1.jhuapl.edu>
	<20060721005426.GA5964@w-m-p.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Return-path: <linux-audit-bounces@redhat.com>
Received: from mx3.redhat.com (mx3.redhat.com [172.16.48.32])
	by int-mx1.corp.redhat.com (8.12.11.20060308/8.12.11) with ESMTP id
	k6L635BS020811
	for <linux-audit@redhat.com>; Fri, 21 Jul 2006 02:03:05 -0400
Received: from mx2.suse.de (ns2.suse.de [195.135.220.15])
	by mx3.redhat.com (8.13.1/8.13.1) with ESMTP id k6L62lBx029581
	for <Linux-audit@redhat.com>; Fri, 21 Jul 2006 02:02:53 -0400
Content-Disposition: inline
In-Reply-To: <20060721005426.GA5964@w-m-p.com>
List-Unsubscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/linux-audit>
List-Post: <mailto:linux-audit@redhat.com>
List-Help: <mailto:linux-audit-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=subscribe>
Sender: linux-audit-bounces@redhat.com
Errors-To: linux-audit-bounces@redhat.com
To: Klaus Weidner <klaus@atsec.com>
Cc: Linux-audit@redhat.com
List-Id: linux-audit@redhat.com

On Thu, Jul 20, 2006 at 07:54:26PM -0500, Klaus Weidner wrote:
> On Thu, Jul 20, 2006 at 03:44:07PM -0400, Lane Williams wrote:
> > I am using audit 1.1.3 under SuSE Enterprise 10.  I was wondering if
> > anyone could give me an idea of how to log when someone tries to open a
> > file which they do not have access to.
> > 
> > I've tried the example
> > 
> > auditctl -a exit,always -S open -F success=0
> 
> What base kernel version and audit patches is SLED10 using? Audit
> development has been active until recently and it may not have all the
> latest and greatest audit patches in it.

Kernel 2.6.16.21. No additional audit patches as of now.

Ciao, Marcus