Why doesn't audit record a failed open() system call with EACCES upon a rule with -F dir= filter?

Solution Unverified - Updated -

Issue

  • We wanted to configure audit to record any failed file create, read, write, and execution under a particular directory including the sub directories.
  • We configured the following rule, and it almost worked.
-a always,exit -F dir=/testdir -F perm=rwx -k test
  • When an user doesn't have a permission to a directory and the user tried to open the file in the directory, the open() system call fails with EACCES (Permission denied).
  • For example:
(With root user)
# mkdir /testdir
# chmod 700 /testdir
# chown root:root /testdir
# touch /testdir/testfile

(With a normal user)
# cat /testdir/testfile
cat: /testdir/testfile: Permission denied

And, this event is never recorded in `audit.log`.
  • Why wasn't the failed event recorded?

Environment

Red Hat Enterprise Linux 7

Subscriber exclusive content

A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.

Current Customers and Partners

Log in for full access

Log In

New to Red Hat?

Learn more about Red Hat subscriptions

Using a Red Hat product through a public cloud?

How to access this content