From mboxrd@z Thu Jan 1 00:00:00 1970 From: Steve Grubb Subject: Re: Audit rules use of flags. Date: Mon, 26 Feb 2007 11:04:27 -0500 Message-ID: <200702261104.27862.sgrubb@redhat.com> References: <000601c7562b$f2978ff0$6400a8c0@powerbox> Mime-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 7bit Return-path: In-Reply-To: <000601c7562b$f2978ff0$6400a8c0@powerbox> Content-Disposition: inline List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: linux-audit@redhat.com List-Id: linux-audit@redhat.com On Wednesday 21 February 2007 21:48, Walt Powell wrote: > I have a requirement to audit/log all failed attempts to access files. If you are on x86_64, I think you'll need a new kernel. There was a problem in exit codes and sign extention during promotion. > I entered the following line in audit.rules: > > -w exit,always -S open -F success!=0 > > and audit flags all file exits regardless of success. See below. I think you can get this with 2 rules until you can update your kernel. > When I try: > > -w exit,possible -S open -F success!=0 > > it does NOT flag any file openings, including failure. Possible only collects information so that if another rule actually triggers an event, it has everything on hand to give a full context dump. Generally, you do not need "possible" rules. > I am curious if: > > -w exit,never -S open -F success=0 > > but I suspect that the 'first hit takes it' nature of audit-1.0.12 will > make the flag at the end useless. Yes, but you should be able to follow that rule with: -w exit,always -S open which means the success !=0 case hits the second rule. > So I suppose the question is - do I need to put the -F flag before the -w > portion of the entry, or is there some other way to meet the requirement? No, you have to use syscall auditing for this and not watches. -Steve