linux-audit-bounces@redhat.com wrote on 04/06/2005 10:41:06 AM:

> I'm uploading the audit.19 kernel. It has Tim's latest patch and my
> patch to log signals sent to the audit dæmon.
>
> --
> dwmw2
>
> --
> Linux-audit mailing list
> Linux-audit@redhat.com
> http://www.redhat.com/mailman/listinfo/linux-audit

I am seeing an inconsistent behavior when testing the watches with this kernel. Is anybody else encountering something similar?

Below you will find the manual steps I am performing, and they only generate two records (for the first touch, and the remove).
I also tried to set permissions to "reaw" to ensure I get all records, but that didn't help either.

[root@checkered objident]# uname -a
Linux checkered.ltc.austin.ibm.com 2.6.9-5.0.3.EL.audit.19 #1 Wed Apr 6 09:10:02 EDT 2005 i686 i686 i386 GNU/Linux
[root@checkered objident]# rpm -qa | grep audit
audit-libs-0.6.10-1
audit-0.6.10-1
kernel-2.6.9-5.0.3.EL.audit.19
audit-libs-devel-0.6.10-1

[root@checkered lib]# auditctl -w /tmp/test_file -k file-key
No rules
[root@checkered lib]# touch /tmp/test_file
[root@checkered lib]# cat /tmp/test_file
[root@checkered lib]# cp /tmp/test_file /tmp/something
[root@checkered lib]# touch /tmp/test_file
[root@checkered lib]# cp /tmp/something /tmp/test_file
cp: overwrite `/tmp/test_file'? y
[root@checkered lib]# rm /tmp/test_file
rm: remove regular empty file `/tmp/test_file'? y

type=KERNEL msg=audit(1112950099.362:0): audit_enabled=1 old=1 by auid 4294967295
type=KERNEL msg=audit(1112950147.072:4062817): item=0 name="/tmp/test_file" inode=2223873 dev=fd:00 mode=041777 uid=0 gid=0 rdev=00:00
type=KERNEL msg=audit(1112950147.072:4062817): auxitem=1 name="test_file" filterkey=file-key perm=0 perm_mask=2 inode=2224460 inode_uid=0 inode_gid=0 inode_dev=fd:00 inode_rdev=00:00
type=KERNEL msg=audit(1112950147.072:4062817): syscall=5 arch=40000003 success=yes exit=3 a0=bff7cbb2 a1=8941 a2=1b6 a3=8941 items=1 pid=4538 loginuid=-1 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="touch" exe=/bin/touch
type=KERNEL msg=audit(1112950218.048:4070039): item=0 name="/tmp/test_file" inode=2223873 dev=fd:00 mode=041777 uid=0 gid=0 rdev=00:00
type=KERNEL msg=audit(1112950218.048:4070039): auxitem=1 name="test_file" filterkey=file-key perm=0 perm_mask=2 inode=2224460 inode_uid=0 inode_gid=0 inode_dev=fd:00 inode_rdev=00:00
type=KERNEL msg=audit(1112950218.048:4070039): syscall=10 arch=40000003 success=yes exit=0 a0=bffa1bb8 a1=0 a2=80505e4 a3=bffa1bb8 items=1 pid=4543 loginuid=-1 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="rm" exe=/bin/rm

- Loulwa