I am setting up a new Linux box, and this one has really odd auditing requirements. One of the requirements is to log every failed attempt to create a file in a directory the user doesn't have access to (such as logging an attempt to touch /etc/testfile ).

It currently isn't logging that, and I can't find any references (google or documentation) on how to enable that. Currently I have the following in my syslog.conf file:

kern.*
daemon.*
syslog.*
lpr,news,uucp,local@,local1,local2,local3,local4,local5,local6.*
authpriv.*
mail.*
cron.*
*.emerg
news.crit
local7.*

Does anybody know what I am missing to log the failed file creation attempt?

Thanks.

Its not logged normally. If a message was being generated then it'd appear in the default log file. The syslog.conf file just tells the syslog daemon what to do with the various messages.

The audit system is probably your best bet. I've never had the need to log this though so I've no idea if its possible or not.

Look at the docs for auditd and auditctl.

I don't know offhand, but the hooks to do something like that probably exist in the security model code -- for SELinux and/or apparmor.

But if you control/build your own kernels, then it's like a 2-line patch to just add it to the main kernel source. Sample patch attached.

-ml

Awesome, thanks for the help.