From mboxrd@z Thu Jan  1 00:00:00 1970
From: Marcus Meissner <meissner@suse.de>
Subject: Re: Why doesn't chown produce an event
Date: Wed, 2 May 2007 17:14:58 +0200
Message-ID: <20070502151458.GA2847@suse.de>
References: <4638AA93.7050108@jhuapl.edu>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Return-path: <linux-audit-bounces@redhat.com>
Received: from mx1.redhat.com (mx1.redhat.com [172.16.48.31])
	by int-mx1.corp.redhat.com (8.13.1/8.13.1) with ESMTP id l42FF51j032124
	for <linux-audit@redhat.com>; Wed, 2 May 2007 11:15:05 -0400
Received: from mx1.suse.de (ns1.suse.de [195.135.220.2])
	by mx1.redhat.com (8.13.1/8.13.1) with ESMTP id l42FF4Et001458
	for <linux-audit@redhat.com>; Wed, 2 May 2007 11:15:04 -0400
Content-Disposition: inline
In-Reply-To: <4638AA93.7050108@jhuapl.edu>
List-Unsubscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/linux-audit>
List-Post: <mailto:linux-audit@redhat.com>
List-Help: <mailto:linux-audit-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=subscribe>
Sender: linux-audit-bounces@redhat.com
Errors-To: linux-audit-bounces@redhat.com
To: Robert Evans <bob.evans@jhuapl.edu>
Cc: linux-audit@redhat.com
List-Id: linux-audit@redhat.com

On Wed, May 02, 2007 at 11:13:23AM -0400, Robert Evans wrote:
> Greetings,
> 
> I have the following rule in audit.rules
> 
> -a exit,always -S chmod -S chown -S lchown -S fchown -F success!-1 -F 
> key=mod
> 
> If I log in as a typical user and try "chown bob /etc/shadow" I don't get 
> an event produced, however if I try "chmod 666 /etc/shadow" I do.
> 
> What am I missing here?
> 
> Thanks!

You need to give 1 systemcall per line I guess.

-a exit,always -S chmod -F success!-1 -F key=mod
-a exit,always -S chown -F success!-1 -F key=mod
-a exit,always -S lchown -F success!-1 -F key=mod
-a exit,always -S fchown -F success!-1 -F key=mod

Ciao, Marcus