Re: auditing auditctl

Amy Griffis wrote: [Fri Jul 29 2005, 04:17:12PM EDT] That was a bad diagnosis. The problem I see is an effect of running sudo with this rule: auditctl -a entry,always -S close Using the following set of rules produces normal-looking behavior, i.e. no audit record floods. auditctl -w /usr/bin/sudo -p x auditctl -a entry,possible -S close My apologies for the false alarm. Amy