Re: audit 1.2.2 released
Steve Grubb wrote:
On Wednesday 17 May 2006 17:12, Michael C Thompson wrote:
>> Please let me know if there are any problems with this release.
> auditctl -a entry,always -S chmod -F "watch=/root/file"
>
> This fails... how is one supposed to use the new 'watch' field filter?
This was already reported on SE Linux mail list last week. The short answer is
that policy needs to be adjusted to make this work. I don't know if the
changes have been rolled out yet. Just as a test, try "setenforce 0" and then
load the audit rule.
The above command was tried in permissive mode. The resulting error is:
# auditctl -a entry,always -S chmod -F "watch=/root/file"
-F unknown field: watch=/root/file
Thanks,
Mike