On Thu, Jul 20, 2006 at 07:54:26PM -0500, Klaus Weidner wrote:
> On Thu, Jul 20, 2006 at 03:44:07PM -0400, Lane Williams wrote:
> > I am using audit 1.1.3 under SuSE Enterprise 10. I was wondering if
> > anyone could give me an idea of how to log when someone tries to open a
> > file which they do
On Thu, Jul 20, 2006 at 03:44:07PM -0400, Lane Williams wrote:
> I am using audit 1.1.3 under SuSE Enterprise 10. I was wondering if
> anyone could give me an idea of how to log when someone tries to open a
> file which they do not have access to.
>
> I've tried the example
>
> auditctl -a exit,
There was a bug at one point where the '-F success=0' didn't
work but '-F success!=1' did work. You might want to try that
as a workaround. You might also try an strace on whatever program
you're using to test with to make sure there there isn't an access()
system call before the open. If there
I am using audit 1.1.3 under SuSE Enterprise 10. I was wondering if
anyone could give me an idea of how to log when someone tries to open a
file which they do not have access to.
I've tried the example
auditctl -a exit,always -S open -F success=0
When I do this I get nothing in the logs. But i
Are you sure you have pam_loginuid.so configured in the appropriate
/etc/pam.d/* files, such as login and sshd?
I'm running the .41 kernel and the audit-1.2.4 tools and
the auid is correct in the audit records on my system.
This is what my /etc/pam.d/login file looks like:
#%PAM-1.0
auth re
I am receiving audit events with an odd auid... I am not sure if this
is something wrong in the kernel or in audit. The auid I am receiving
is 4294967295 (the max value for an unsigned long). The other uid/gid
information is normal.
I have seen this on all audit versions since audit-1.2.3,