From mboxrd@z Thu Jan 1 00:00:00 1970 From: "Walt Powell" Subject: Audit rules use of flags. Date: Wed, 21 Feb 2007 21:48:33 -0500 Message-ID: <000601c7562b$f2978ff0$6400a8c0@powerbox> Mime-Version: 1.0 Content-Type: multipart/mixed; boundary="===============0748465433==" Return-path: Received: from mx1.redhat.com (mx1.redhat.com [172.16.48.31]) by int-mx1.corp.redhat.com (8.13.1/8.13.1) with ESMTP id l1M2mYNv003900 for ; Wed, 21 Feb 2007 21:48:34 -0500 Received: from ms-smtp-06.ohiordc.rr.com (ms-smtp-06.ohiordc.rr.com [65.24.5.140]) by mx1.redhat.com (8.13.1/8.13.1) with ESMTP id l1M2mXOF023674 for ; Wed, 21 Feb 2007 21:48:33 -0500 Received: from powerbox (cpe-65-189-170-115.columbus.res.rr.com [65.189.170.115]) by ms-smtp-06.ohiordc.rr.com (8.13.6/8.13.6) with SMTP id l1M2mWN8024311 for ; Wed, 21 Feb 2007 21:48:32 -0500 (EST) List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: linux-audit@redhat.com List-Id: linux-audit@redhat.com This is a multi-part message in MIME format. --===============0748465433== Content-Type: multipart/alternative; boundary="----=_NextPart_000_0003_01C75602.08A84FC0" This is a multi-part message in MIME format. ------=_NextPart_000_0003_01C75602.08A84FC0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Hello all: I have a requirement to audit/log all failed attempts to access files. = I entered the following line in audit.rules: -w exit,always -S open -F success!=3D0 and audit flags all file exits regardless of success. When I try: -w exit,possible -S open -F success!=3D0 it does NOT flag any file openings, including failure. I am curious if: -w exit,never -S open -F success=3D0 but I suspect that the 'first hit takes it' nature of audit-1.0.12 will = make the flag at the end useless. So I suppose the question is - do I need to put the -F flag before the = -w portion of the entry, or is there some other way to meet the = requirement? Thank you all for any insight. ------=_NextPart_000_0003_01C75602.08A84FC0 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable
Hello all:
 
I have a requirement to audit/log all = failed=20 attempts to access files.  I entered the following line in=20 audit.rules:
 
-w exit,always -S open -F = success!=3D0
 
and audit flags all file exits = regardless of=20 success.  When I try:
 
-w exit,possible -S open -F = success!=3D0
 
it does NOT flag any file openings, = including=20 failure.  I am curious if:
 
-w exit,never -S open -F = success=3D0
 
but I suspect that the 'first hit takes = it' nature=20 of audit-1.0.12 will make the flag at the end useless.
 
So I suppose the question is - do I = need to put the=20 -F flag before the -w portion of the entry, or is there some other way = to meet=20 the requirement?
 
Thank you all for any=20 insight.
------=_NextPart_000_0003_01C75602.08A84FC0-- --===============0748465433== Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline --===============0748465433==--