From mboxrd@z Thu Jan 1 00:00:00 1970 From: "Walt Powell" Subject: Audit rules use of flags. Date: Wed, 21 Feb 2007 21:48:33 -0500 Message-ID: <000601c7562b$f2978ff0$6400a8c0@powerbox> Mime-Version: 1.0 Content-Type: multipart/mixed; boundary="===============0748465433==" Return-path: Received: from mx1.redhat.com (mx1.redhat.com [172.16.48.31]) by int-mx1.corp.redhat.com (8.13.1/8.13.1) with ESMTP id l1M2mYNv003900 for ; Wed, 21 Feb 2007 21:48:34 -0500 Received: from ms-smtp-06.ohiordc.rr.com (ms-smtp-06.ohiordc.rr.com [65.24.5.140]) by mx1.redhat.com (8.13.1/8.13.1) with ESMTP id l1M2mXOF023674 for ; Wed, 21 Feb 2007 21:48:33 -0500 Received: from powerbox (cpe-65-189-170-115.columbus.res.rr.com [65.189.170.115]) by ms-smtp-06.ohiordc.rr.com (8.13.6/8.13.6) with SMTP id l1M2mWN8024311 for ; Wed, 21 Feb 2007 21:48:32 -0500 (EST) List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: linux-audit@redhat.com List-Id: linux-audit@redhat.com This is a multi-part message in MIME format. --===============0748465433== Content-Type: multipart/alternative; boundary="----=_NextPart_000_0003_01C75602.08A84FC0" This is a multi-part message in MIME format. ------=_NextPart_000_0003_01C75602.08A84FC0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Hello all: I have a requirement to audit/log all failed attempts to access files. = I entered the following line in audit.rules: -w exit,always -S open -F success!=3D0 and audit flags all file exits regardless of success. When I try: -w exit,possible -S open -F success!=3D0 it does NOT flag any file openings, including failure. I am curious if: -w exit,never -S open -F success=3D0 but I suspect that the 'first hit takes it' nature of audit-1.0.12 will = make the flag at the end useless. So I suppose the question is - do I need to put the -F flag before the = -w portion of the entry, or is there some other way to meet the = requirement? Thank you all for any insight. ------=_NextPart_000_0003_01C75602.08A84FC0 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable
Hello all:
 
I have a requirement to audit/log all = failed=20 attempts to access files.  I entered the following line in=20 audit.rules:
 
-w exit,always -S open -F = success!=3D0
 
and audit flags all file exits = regardless of=20 success.  When I try:
 
-w exit,possible -S open -F = success!=3D0
 
it does NOT flag any file openings, = including=20 failure.  I am curious if:
 
-w exit,never -S open -F = success=3D0
 
but I suspect that the 'first hit takes = it' nature=20 of audit-1.0.12 will make the flag at the end useless.
 
So I suppose the question is - do I = need to put the=20 -F flag before the -w portion of the entry, or is there some other way = to meet=20 the requirement?
 
Thank you all for any=20 insight.
------=_NextPart_000_0003_01C75602.08A84FC0-- --===============0748465433== Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline --===============0748465433==-- From mboxrd@z Thu Jan 1 00:00:00 1970 From: Steve Grubb Subject: Re: Audit rules use of flags. Date: Thu, 22 Feb 2007 09:06:52 -0500 Message-ID: <200702220906.52536.sgrubb@redhat.com> References: <000601c7562b$f2978ff0$6400a8c0@powerbox> Mime-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 7bit Return-path: In-Reply-To: <000601c7562b$f2978ff0$6400a8c0@powerbox> Content-Disposition: inline List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: linux-audit@redhat.com List-Id: linux-audit@redhat.com On Wednesday 21 February 2007 21:48:33 Walt Powell wrote: > I have a requirement to audit/log all failed attempts to access files. I > entered the following line in audit.rules: > > -w exit,always -S open -F success!=0 > > and audit flags all file exits regardless of success. Which kernel are you using? Answering all your questions depends on that. -Steve From mboxrd@z Thu Jan 1 00:00:00 1970 From: Steve Grubb Subject: Re: Audit rules use of flags. Date: Mon, 26 Feb 2007 11:04:27 -0500 Message-ID: <200702261104.27862.sgrubb@redhat.com> References: <000601c7562b$f2978ff0$6400a8c0@powerbox> Mime-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 7bit Return-path: In-Reply-To: <000601c7562b$f2978ff0$6400a8c0@powerbox> Content-Disposition: inline List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: linux-audit@redhat.com List-Id: linux-audit@redhat.com On Wednesday 21 February 2007 21:48, Walt Powell wrote: > I have a requirement to audit/log all failed attempts to access files. If you are on x86_64, I think you'll need a new kernel. There was a problem in exit codes and sign extention during promotion. > I entered the following line in audit.rules: > > -w exit,always -S open -F success!=0 > > and audit flags all file exits regardless of success. See below. I think you can get this with 2 rules until you can update your kernel. > When I try: > > -w exit,possible -S open -F success!=0 > > it does NOT flag any file openings, including failure. Possible only collects information so that if another rule actually triggers an event, it has everything on hand to give a full context dump. Generally, you do not need "possible" rules. > I am curious if: > > -w exit,never -S open -F success=0 > > but I suspect that the 'first hit takes it' nature of audit-1.0.12 will > make the flag at the end useless. Yes, but you should be able to follow that rule with: -w exit,always -S open which means the success !=0 case hits the second rule. > So I suppose the question is - do I need to put the -F flag before the -w > portion of the entry, or is there some other way to meet the requirement? No, you have to use syscall auditing for this and not watches. -Steve