From mboxrd@z Thu Jan  1 00:00:00 1970
From: Steve Grubb <sgrubb@redhat.com>
Subject: Re: [RFC] NISPOM audit rules - first draft
Date: Fri, 13 Apr 2007 14:31:39 -0400
Message-ID: <200704131431.39959.sgrubb@redhat.com>
References: <200703011333.10466.sgrubb@redhat.com>
	<20070413132414.74b00f10@crumpet>
Mime-Version: 1.0
Content-Type: text/plain;
  charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
Return-path: <linux-audit-bounces@redhat.com>
In-Reply-To: <20070413132414.74b00f10@crumpet>
Content-Disposition: inline
List-Unsubscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/linux-audit>
List-Post: <mailto:linux-audit@redhat.com>
List-Help: <mailto:linux-audit-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=subscribe>
Sender: linux-audit-bounces@redhat.com
Errors-To: linux-audit-bounces@redhat.com
To: "Timothy R. Chavez" <tim.chavez@linux.vnet.ibm.com>
Cc: Linux Audit <linux-audit@redhat.com>
List-Id: linux-audit@redhat.com

On Friday 13 April 2007 14:24, Timothy R. Chavez wrote:
> Wow... finally just getting to these. =A0Just a couple quick comments b=
elow.

The nispom.rules file has been updated several times since this was initi=
ally=20
posted.

> > ## unsuccessful modifications
> > -a exit,always -S rename -S truncate -S ftruncate -F exit=3D-13 -k mo=
ds
> > -a exit,always -S renameat -F exit=3D-13 -k mods
> > -a exit,always -F perm=3Da -F exit=3D-13 -k mods
>
> No system call specified...

That's what the magic of "perm" is. It selects all syscalls that match th=
e=20
changing of attribute.

-Steve