Linux Mastering Development

Can not log permission denied errors using auditctl

I try to create an auditctl rule for the following situation:
There is a file created by root, owned by root, and with chmod 700. So no other user except root can read or write to it.

When I then try to do something using another user, I get an permission denied.

But this doesn’t show up in the audit log and I can not find a working rule. I tried multiple rules:

-a always,exit -F arch=b64 -S all -F path=/home/test/test.txt -F success!=0 -k permission_denied.

or from another thread here (this should show it for all files!)

-a always,exit -F arch=b64 -S open,openat -F exit=-EPERM -F key=permission_denied
-a always,exit -F arch=b64 -S open,openat -F exit=-EACCES -F key=permission_denied

any ideas?

Leave a Reply

Your email address will not be published. Required fields are marked *