From mboxrd@z Thu Jan  1 00:00:00 1970
From: Linda Knippers <linda.knippers@hp.com>
Subject: Re: auditd/auditctl SLED10
Date: Thu, 20 Jul 2006 16:08:35 -0400
Message-ID: <44BFE2C3.9050405@hp.com>
References: <44BF8E4F.3000405@ornl.gov> <44BF9F0D.5010204@hp.com>
	<1153424647.7866.11.camel@willipl1-ld1.jhuapl.edu>
Mime-Version: 1.0
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
Return-path: <linux-audit-bounces@redhat.com>
Received: from mx1.redhat.com (mx1.redhat.com [172.16.48.31])
	by int-mx1.corp.redhat.com (8.12.11.20060308/8.12.11) with ESMTP id
	k6KKAEJQ019184
	for <linux-audit@redhat.com>; Thu, 20 Jul 2006 16:10:14 -0400
Received: from atlrel6.hp.com (atlrel6.hp.com [156.153.255.205])
	by mx1.redhat.com (8.12.11.20060308/8.12.11) with ESMTP id
	k6KKACCW003119
	for <Linux-audit@redhat.com>; Thu, 20 Jul 2006 16:10:12 -0400
In-Reply-To: <1153424647.7866.11.camel@willipl1-ld1.jhuapl.edu>
List-Unsubscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/linux-audit>
List-Post: <mailto:linux-audit@redhat.com>
List-Help: <mailto:linux-audit-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=subscribe>
Sender: linux-audit-bounces@redhat.com
Errors-To: linux-audit-bounces@redhat.com
To: lane.williams@jhuapl.edu
Cc: Linux-audit@redhat.com
List-Id: linux-audit@redhat.com

There was a bug at one point where the '-F success=0' didn't
work but '-F success!=1' did work.  You might want to try that
as a workaround.  You might also try an strace on whatever program
you're using to test with to make sure there there isn't an access()
system call before the open.  If there is, then you'll want to audit
access failures.

-- ljk

Lane Williams wrote:
> I am using audit 1.1.3 under SuSE Enterprise 10.  I was wondering if
> anyone could give me an idea of how to log when someone tries to open a
> file which they do not have access to.
> 
> I've tried the example
> 
> auditctl -a exit,always -S open -F success=0
> 
> When I do this I get nothing in the logs.  But if I add the following
> 
> auditctl -a entry,always -S open 
> 
> I get all of the entries and the open failures when there is "No such
> file or directory", but no access violations...
> 
> Thanks for any help,
> 
> Lane
> 
> --
> Linux-audit mailing list
> Linux-audit@redhat.com
> https://www.redhat.com/mailman/listinfo/linux-audit