From mboxrd@z Thu Jan  1 00:00:00 1970
From: Paul Whitney <paul.whitney@mac.com>
Subject: AUDIT Rules
Date: Wed, 23 May 2007 15:04:48 -0400
Message-ID: <C27A0890.1E30%paul.whitney@mac.com>
Mime-Version: 1.0
Content-Type: text/plain;
	charset="US-ASCII"
Content-Transfer-Encoding: 7bit
Return-path: <linux-audit-bounces@redhat.com>
Received: from mx2.redhat.com (mx2.redhat.com [10.255.15.25])
	by int-mx2.corp.redhat.com (8.13.1/8.13.1) with ESMTP id l4NJ5SNC022988
	for <linux-audit@redhat.com>; Wed, 23 May 2007 15:05:29 -0400
Received: from smtpout.mac.com (smtpout.mac.com [17.250.248.172])
	by mx2.redhat.com (8.13.1/8.13.1) with ESMTP id l4NJ5Rnc019380
	for <linux-audit@redhat.com>; Wed, 23 May 2007 15:05:27 -0400
Received: from mac.com (smtpin04-en2 [10.13.10.149])
	by smtpout.mac.com (Xserve/smtpout02/MantshX 4.0) with ESMTP id
	l4NJ5Rak015250
	for <linux-audit@redhat.com>; Wed, 23 May 2007 12:05:27 -0700 (PDT)
Received: from paul-whitneys-powerbook-g4-17.local
	(host-65-222-148-200.d2lab.net [65.222.148.200] (may be forged))
	(authenticated bits=0)
	by mac.com (Xserve/smtpin04/MantshX 4.0) with ESMTP id l4NJ4rq4021727
	for <linux-audit@redhat.com>; Wed, 23 May 2007 12:05:26 -0700 (PDT)
List-Unsubscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/linux-audit>
List-Post: <mailto:linux-audit@redhat.com>
List-Help: <mailto:linux-audit-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=subscribe>
Sender: linux-audit-bounces@redhat.com
Errors-To: linux-audit-bounces@redhat.com
To: linux-audit@redhat.com
List-Id: linux-audit@redhat.com

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Can someone tell me what is the correct syntax for successfully or failing
to modify a file using the chmod command?  I have :

- -a exit,possible -S chmod -F success=0 -F success!=0
- -a exit,possible -S fchmod -F success=0 -F success!=0

But I am not able to audit the event. As a regular user I try to change the
permissions of /etc/shadow. The action fails (as expected) but does not get
audited.

Any suggestions is greatly appreciated.


Paul Whitney
Information Systems Solutions
paul.whitney@mac.com

-----BEGIN PGP SIGNATURE-----
Version: PGP Desktop 9.0.6 (Build 6060)

iQEVAwUBRlSQSbdVg+viRqgEAQjJTAf8CHUY4lQMv7tJrdseTqe/l2n1oFwu8GNr
xrIPab5+iQtRWk4OwwOnmifz1yZRyA+tO+W0hXc7UFn5c1J8YKFooAYEiTK/DvBI
oE4Aeme5QDIW4MN/quq8qOeKieMUDr2oPt3ZqVW6F9u/pF/dlUaQ5OvdSchtdfLw
iYMsd2rS5xtUVa0fDYEsQqz6AAaKbpuBCa6+ksxWTnPOCjYec0jpVpT3unFLA7G3
FK34zc5nfzuGimEtPb3wGvZv32wPyDDV8aD/ghw9kBYT3Fobd4LF6ZT89MbWSlja
I5HW38q8elNn6an3FjWo+UV9r47tuMteIuFUatwed47yR/58xizoEg==
=yBwv
-----END PGP SIGNATURE-----