Re: audit.36 kernel

Monday, 16 May 2005

On Monday 16 May 2005 11:02, Loulwa Salem wrote:
...
 I am still seeing some problems with missing watch records 
Me, too.  Using the i686 .36 kernel:

[root@endeavor ~]# /etc/rc.d/init.d/auditd stop
Stopping auditd:                                           [  OK  ]
[root@endeavor ~]# rm -f /var/log/audit/audit.log
[root@endeavor ~]# /etc/rc.d/init.d/auditd start
Starting auditd:                                           [  OK  ]
[root@endeavor ~]# auditctl -l
No rules
No watches
[root@endeavor ~]# auditctl -w /etc/passwd -k fk_passwd -p rwea
No rules
AUDIT_WATCH_LIST: dev=3:2, path=/etc/passwd, filterkey=fk_passwd, perms=15, 
valid=0
[root@endeavor ~]# cat /etc/passwd >/dev/null
[root@endeavor ~]# tail /var/log/audit/audit.log
type=DAEMON_START msg=audit(1116256955.597:932) auditd start, ver=0.8.1, 
format=raw, uid=4325, auditd pid=2751
type=CONFIG_CHANGE msg=audit(1116256955.810:0): audit_enabled=1 old=1 by auid 
4325
type=CONFIG_CHANGE msg=audit(1116256956.013:0): audit_backlog_limit=1024 
old=1024 by auid 4325
type=CONFIG_CHANGE msg=audit(1116256965.066:0): auid 4325 inserted watch
[root@endeavor ~]# auditctl -W /etc/passwd -k fk_passwd -p rwea
No rules
No watches

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

2004

Re: audit.36 kernel