Re: adding syscall rules
On Wednesday 08 June 2005 17:10, Amy Griffis wrote:
When adding the 31st rule, the 'No watches' message is not
printed
following the auditctl command to add the rule, or any subsequent
auditctl -l calls. This seems to happen for any number of rules
greater than 30.
I fixed this today. There is a timeout counter that triggers on 30 times
around the loop. It wasn't always getting reset. Will be in 0.9.3.
When the 61st rule is added, it does not appear in the rules list
when
adding the rule, or any following auditctl -l calls. 60 seems to be
the maximum number of rules that can be listed. I do see an 'added an
audit rule' message in the audit log for the 61st rule, and can
generate audit records from it.
Probably related to the above.
On a related note, I've been working on putting together a
default
CAPP configuration that can be loaded via auditctl, similar to LAuS's
filter.conf file. Has anyone else been working on this?
I think it would be useful for a sample configuration to be available for
system admin's to customize.
-Steve