From mboxrd@z Thu Jan  1 00:00:00 1970
From: Steve Grubb <sgrubb@redhat.com>
Subject: Re: auditctl Question
Date: Thu, 22 Mar 2007 09:57:56 -0400
Message-ID: <200703220957.56397.sgrubb@redhat.com>
References: <502890.80597.qm@web55402.mail.re4.yahoo.com>
Mime-Version: 1.0
Content-Type: text/plain;
  charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
Return-path: <linux-audit-bounces@redhat.com>
In-Reply-To: <502890.80597.qm@web55402.mail.re4.yahoo.com>
Content-Disposition: inline
List-Unsubscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/linux-audit>
List-Post: <mailto:linux-audit@redhat.com>
List-Help: <mailto:linux-audit-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=subscribe>
Sender: linux-audit-bounces@redhat.com
Errors-To: linux-audit-bounces@redhat.com
To: linux-audit@redhat.com
Cc: "Khoa V. Nguyen" <kelvestto@yahoo.com>
List-Id: linux-audit@redhat.com

On Wednesday 21 March 2007 13:03, Khoa V. Nguyen wrote:
> I want to be able to audit failed access to /etc/inittab but I don't think
> the current auditctl features able to accomplish it.
>
> auditctl -a watch,always /etc/inittab -F success=no
>
> This would be a syntax error..but
>
> auditctl -a exit,always -w /etc/inittab -F success=no
>
>
> How can I do it?

It depends on the kernel you are running on. For 2.6.19 and higher, you'd just 
do:

auditctl -a exit,always -F perm=rwa -F path=/etc/inittab -F success=no

If you have an earlier kernel, you are limited to -S open -F success=no and 
you could limit its scope by using -F devmajor and devminor.

-Steve