From mboxrd@z Thu Jan 1 00:00:00 1970 From: Steve Grubb Subject: Re: no logging of successful events? Date: Mon, 18 Aug 2008 16:07:55 -0400 Message-ID: <200808181607.55239.sgrubb@redhat.com> References: <1219086574.6522.8.camel@orpheus.clinicomp.com> <200808181518.34373.sgrubb@redhat.com> <1219088341.6522.24.camel@orpheus.clinicomp.com> Mime-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 7bit Return-path: In-Reply-To: <1219088341.6522.24.camel@orpheus.clinicomp.com> Content-Disposition: inline List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: linux-audit@redhat.com Cc: Brian LaMere List-Id: linux-audit@redhat.com On Monday 18 August 2008 15:39:01 Brian LaMere wrote: > (boo for me not hitting reply-all before) > > Fair enough, was just basing from the man page which says: > > " To see unsuccessful open call's: > > auditctl -a exit,always -S open -F success!=0" I think that was patched at some point. The current man page in svn is right. But I think I should touch it up a bit. > Note that I actually got the line from the DoD requirements, which give > that line - if that line isn't present, then they determine that "the > audit system is not configured to audit failed attempts to access files > and programs." The recent versions of the audit system ships with a stig.rules file that give what I believe to be a correct rule set. What the official docs say to do is another thing. :) Take a look at that file and see how I do the unauthorized file access. HTH -Steve