[suse-sles-e] Audit help with SLES 10

From: Swisher, John (john.swisher_at_lmco.com)
Date: Wed Jan 31 2007 - 19:21:19 CET

• Previous message: Mike Petersen: "Re: [suse-sles-e] X system crashes after a few minutes of work"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Wed, 31 Jan 2007 11:21:19 -0700
From: "Swisher, John" <john.swisher@lmco.com>
Message-id: <BAA666C1E230E143BB9E839ED55EF1949E7C50@emss02m12.us.lmco.com>
Subject: [suse-sles-e] Audit help with SLES 10

We have a need to be able to audit failed accesses to certain files and
directories by non-root users on a SLES 10 installation here.
 
It's bad enough that file watches aren't supported by audit under SLES
10, but the even the following entry in audit.rules doesn't work:
-a exit,always -S open -F exit=-13 -F uid!=0
 
I've tried simply looking at failures without regard to user:
-a exit,always -S open -F exit=-13 (permission denied failures)
-a exit,always -S open -F success=0 (all failures)
-a exit,always -S open -F exit!=0 (all failures)
 
None of the above entries generates audit records, but the following
entry does:
-a exit,always -S open
 
This generates a huge number of audit records which must be filtered via
scripts, not to mention the additional storage it's requiring for the
unneeded records.
 
Any suggestions on how to remedy this?
 
 
John Swisher
 

• Previous message: Mike Petersen: "Re: [suse-sles-e] X system crashes after a few minutes of work"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.7 : Wed Jan 31 2007 - 21:25:50 CET