Re: [PATCH] get dev value for inode audit records - take 3

Hi, I tried to have it do what I want, but I wasn't successful. A typical log line looks like this: type=KERNEL msg=audit(1109729446.695:310443): item=0 name=/home/erich/.esd_auth inode=1589515 dev=03:05 mode=0100600 uid=1000 gid=1000 rdev=00:00 Now I want to log only accesses to my IDE disk, so I tried /usr/local/sbin/auditctl -a entry,always -S open -F devmajor=3 My current list of filters is then AUDIT_LIST: entry always syscall=execve AUDIT_LIST: entry always devmajor=3 (0x3) syscall=open And only execs are logged afterwards. This is with audit 0.6.4, 2.6.11rc4, with the patch you sent earlier (only differences I could find is that in the patch I applied, ino=0 and not -1 in the 5th chunk, and the missing forward declaration in audit.h) Greetings, Erich Schubert -- erich(a)(mucl.de|debian.org) -- GPG Key ID: 4B3A135C (o_ To understand recursion you first need to understand recursion. //\ Wo befreundete Wege zusammenlaufen, da sieht die ganze Welt für V_/_ eine Stunde wie eine Heimat aus. --- Herrmann Hesse