On Thursday 02 June 2005 10:55, Steve Grubb wrote:
On Thursday 02 June 2005 11:13, Timothy R. Chavez wrote:
> Yes, that problem has been addressed and should no longer be the behavior
> in audit.52. Rename()'ing a directory does not destroy its watchlist.
This is fixed...but there's still problems.
mv /mnt/target/etc/passwd /mnt/target/etc/passwd.old
mv /mnt/target/etc /mnt/target/etc-old
auditctl -D
Error sending list request (No such file or directory)
NLMSG_ERROR 2 (No such file or directory) type=2 seq=3
No watches
AUDIT_WATCH_LIST: dev=3:9, path=/mnt/target/etc/passwd, filterkey=test,
perms=rwea, valid=0
When a rule is asked to be deleted, and it matches a rule in the master list,
it should be deleted even if the path is no longer valid.
good idea
Also when I access the file in the new name and new dir, no records are
generated. When I make either a mv dir or mv file (but not both), records are
generated.
Also, anytime I set file watches and reboot, I get a message about unfreed
inodes will self destruct in 5 seconds...
Yep... that's because you didn't delete them from the file system when you
unmounted the filesystem and thus you were still holding on to references
to the inodes which prevented them from being freed.
let me see what I can come up with
-tim