Hello all:

I have a requirement to audit/log all failed attempts to access files.  I entered the following line in audit.rules:

-w exit,always -S open -F success!=0

and audit flags all file exits regardless of success.  When I try:

-w exit,possible -S open -F success!=0

it does NOT flag any file openings, including failure.  I am curious if:

-w exit,never -S open -F success=0

but I suspect that the 'first hit takes it' nature of audit-1.0.12 will make the flag at the end useless.

So I suppose the question is - do I need to put the -F flag before the -w portion of the entry, or is there some other way to meet the requirement?

Thank you all for any insight.