Hmm... The documentation says that it is best to combine system calls on one line. And in fact the sample audit.rules for NISPOM coverage posted by this site have the system calls on one line as well.
Bob -----Original Message----- From: Marcus Meissner [mailto:[EMAIL PROTECTED] Sent: Wednesday, May 02, 2007 11:15 AM To: Evans, Robert B. Cc: [email protected] Subject: Re: Why doesn't chown produce an event On Wed, May 02, 2007 at 11:13:23AM -0400, Robert Evans wrote: > Greetings, > > I have the following rule in audit.rules > > -a exit,always -S chmod -S chown -S lchown -S fchown -F success!-1 -F > key=mod > > If I log in as a typical user and try "chown bob /etc/shadow" I don't > get an event produced, however if I try "chmod 666 /etc/shadow" I do. > > What am I missing here? > > Thanks! You need to give 1 systemcall per line I guess. -a exit,always -S chmod -F success!-1 -F key=mod -a exit,always -S chown -F success!-1 -F key=mod -a exit,always -S lchown -F success!-1 -F key=mod -a exit,always -S fchown -F success!-1 -F key=mod Ciao, Marcus -- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
