So you still need a watch on the file in order to collect get audit events to be generated in the event of file access failures, is that correct?
Karen Wieprecht -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Steve Grubb Sent: Friday, December 22, 2006 10:33 AM To: Curtas, Anthony R. Cc: [email protected] Subject: Re: Audit config for NISPOM req's On Friday 22 December 2006 10:08, Curtas, Anthony R. wrote: > One thing that still confuses me is how "possible" is implemented. Possible means to collect the information at entry in case its needed later. Rules with possible will never trigger an event, they simply tell it to collect the information. A watch or SE Linux AVC would actually use the information collected. > From what I've read in the documentation, it looks like if you set a > rule for entry,possible -- the audit system waits until a file watch > is thrown, then it writes the event. Do I have this right? Yes. > If I always want to see when /etc/shadow is opened: > > -w /etc/shadow -rwxa > -a entry,possible -S open That would be opened for write or execute. > Will that work? And if I understand the mechanism correctly, that > would log an open of ANY file that has a watch on it? Not quite. It will collect the information for any open, but only emit an event when shadow is opened for write or execute. > One last thing, if I only want unsuccessful open attempts on the watch > files, would this work? > -a entry,possible -S open -F success!=1 It should collect the information for later use. If you wanted all unsuccessful opens, I'd rewrite as: -a exit,always -S open -F success!=1 -Steve -- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit -- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
