Re: audit 0.6.10 released
Hi Steve,
For the new 'arch' field. Would this be the correct auditctl usage?
To audit 32bit chmod syscall:
auditctl -a exit,always -S chmod -F arch=32
To audit 64bit chmod syscall:
auditctl -a exit,always -S chmod -F arch=64
Can you also do:
auditctl -a entry,always -S 15 -F arch=32
Thanks!
debbie
linux-audit-bounces(a)redhat.com wrote on 04/01/2005 01:39:00 PM:
Hello,
Another audit package has been released. This release is mostly code
cleanups
and getting things finalized for Fedora Core 4. It can be downloaded
from
http://people.redhat.com/sgrubb/audit
The changelog includes:
- Code cleanups
- Support the arch field for auditctl
- Add version to auditctl command
- Documentation updates
- Moved default location of the audit log to /var/log/audit/audit.log
The default location for the audit log was moved for a couple
reasons. We
want
to put it in a place that could be used as a mount point. People
doing
any
serious auditing need to have a partition set aside just for
auditing.
This
move, by default, will make it easier for people to do that. We also
wanted
to put it in its own directory so that we can add some SE Linux
policy
later
to protect the logs.
The audit watch list code is not in this release. I feel that we
still
need to
discuss the way it needs to work and solidify that before I put it
into
the
FC4 distribution. The watch add & remove I think are fine and the
code is
included so that one day when this gets upstream and that kernel gets
released, everyone can start using it.
Let me know if there are any problems with this latest release.
Thanks,
-Steve Grubb
--
Linux-audit mailing list
Linux-audit(a)redhat.com
http://www.redhat.com/mailman/listinfo/linux-audit
Attachments:
- attachment.html (text/html — 2.2 KB)