On Friday 22 December 2006 10:08, Curtas, Anthony R. wrote: > One thing that still confuses me is how "possible" is implemented.
Possible means to collect the information at entry in case its needed later. Rules with possible will never trigger an event, they simply tell it to collect the information. A watch or SE Linux AVC would actually use the information collected. > From what I've read in the documentation, it looks like if you set a rule > for entry,possible -- the audit system waits until a file watch is thrown, > then it writes the event. Do I have this right? Yes. > If I always want to see when /etc/shadow is opened: > > -w /etc/shadow -rwxa > -a entry,possible -S open That would be opened for write or execute. > Will that work? And if I understand the mechanism correctly, that would > log an open of ANY file that has a watch on it? Not quite. It will collect the information for any open, but only emit an event when shadow is opened for write or execute. > One last thing, if I only want unsuccessful open attempts on the watch > files, would this work? > -a entry,possible -S open -F success!=1 It should collect the information for later use. If you wanted all unsuccessful opens, I'd rewrite as: -a exit,always -S open -F success!=1 -Steve -- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
