Steve Grubb wrote:
This version also corrects user &
watch list filtering.
Please let me know if there are any problems.
when adding auid filters on watches .. and executing "auditclt -l" I
don't see a list of the newly added filter rules ... Is that the
behavior you intended?
(I am on kernel.65 on i386 system)
example
# auditctl watch,always -F auid=something
# auditctl watch,never -F auid=something
# auditctl -l
No rules
No watches
Also .. the above commands don't seem to be actually filtering .. so I
don't know if that is because the mechanism might not be working, or
maybe the filters aren't getting inserted since I don't see them in the
listing ..
Thanks,
- Loulwa