I try to create an auditctl rule for the following situation:
There is a file created by root, owned by root, and with chmod 700. So no other user except root can read or write to it.
When I then try to do something using another user, I get an permission denied.
But this doesn’t show up in the audit log and I can not find a working rule. I tried multiple rules:
-a always,exit -F arch=b64 -S all -F path=/home/test/test.txt -F success!=0 -k permission_denied.
or from another thread here (this should show it for all files!)
-a always,exit -F arch=b64 -S open,openat -F exit=-EPERM -F key=permission_denied -a always,exit -F arch=b64 -S open,openat -F exit=-EACCES -F key=permission_denied