Hi Steve,
For the new 'arch' field. Would this be the correct auditctl usage?
To audit 32bit chmod syscall:
auditctl -a exit,always -S chmod -F arch=32
To audit 64bit chmod syscall:
auditctl -a exit,always -S chmod -F arch=64
Can you also do:
auditctl -a entry,always -S 15 -F arch=32
Thanks!
debbie
linux-audit-bounces@redhat.com wrote on 04/01/2005 01:39:00 PM:
> Hello,
> Another audit package has been released. This release is mostly code cleanups
> and getting things finalized for Fedora Core 4. It can be downloaded from
> http://people.redhat.com/sgrubb/audit
> The changelog includes:
> - Code cleanups
> - Support the arch field for auditctl
> - Add version to auditctl command
> - Documentation updates
> - Moved default location of the audit log to /var/log/audit/audit.log
> The default location for the audit log was moved for a couple reasons. We want
> to put it in a place that could be used as a mount point. People doing any
> serious auditing need to have a partition set aside just for auditing. This
> move, by default, will make it easier for people to do that. We also wanted
> to put it in its own directory so that we can add some SE Linux policy later
> to protect the logs.
> The audit watch list code is not in this release. I feel that we still need to
> discuss the way it needs to work and solidify that before I put it into the
> FC4 distribution. The watch add & remove I think are fine and the code is
> included so that one day when this gets upstream and that kernel gets
> released, everyone can start using it.
> Let me know if there are any problems with this latest release.
> Thanks,
> -Steve Grubb
> --
> Linux-audit mailing list
> Linux-audit@redhat.com
> http://www.redhat.com/mailman/listinfo/linux-audit