Re: Why doesn't chown produce an event

Marcus Meissner Wed, 02 May 2007 08:15:09 -0700

On Wed, May 02, 2007 at 11:13:23AM -0400, Robert Evans wrote:
> Greetings,
> 
> I have the following rule in audit.rules
> 
> -a exit,always -S chmod -S chown -S lchown -S fchown -F success!-1 -F 
> key=mod
> 
> If I log in as a typical user and try "chown bob /etc/shadow" I don't get 
> an event produced, however if I try "chmod 666 /etc/shadow" I do.
> 
> What am I missing here?
> 
> Thanks!


You need to give 1 systemcall per line I guess.

-a exit,always -S chmod -F success!-1 -F key=mod
-a exit,always -S chown -F success!-1 -F key=mod
-a exit,always -S lchown -F success!-1 -F key=mod
-a exit,always -S fchown -F success!-1 -F key=mod

Ciao, Marcus

--
Linux-audit mailing list
[email protected]
https://www.redhat.com/mailman/listinfo/linux-audit

Re: Why doesn't chown produce an event

Reply via email to