Re: audit 0.6.10 released
On Tuesday 05 April 2005 15:26, Debora Velarde wrote:
For the new 'arch' field. Would this be the correct auditctl
usage?
In a word. No.
I just looked at the arch patch to the kernel. I think I'll need to do some
work on auditctl. There's a lot of defines getting or'd together and that
just won't work for what you want.
David, how did you intend userspace to compute a correct value? For example,
my 2 bit machine has arch=40000003.
I also just noticed that success is now "yes" or "no". It was 0 and 1.
When
someone does this:
-a entry,always -S open -F success!=0
The logs no longer match.
Both of these changes should have been announced on this mail list in case
there are impacts. I have to document this stuff in the auditctl man pages,
too.
-Steve