Re: auditctl bug: load rules from file
On Tuesday 26 July 2005 16:11, Steve Grubb wrote:
On Tuesday 26 July 2005 16:48, Amy Griffis wrote:
> # auditctl -a entry,always open
>
> # auditctl -l
> AUDIT_LIST: entry,always syscall=all
> No watches
jeez. I wished this was reported a long time ago. This behavior has probably
been there from the beginning. I'm glad you are reporting it. Adding to TODO
list...
This isn't a userspace issue, but do you think this should be permitted? I'd
expect a "Rule already exists" type error *shrug*
[root@liltux ~]# auditctl -aexit,always -S open
[root@liltux ~]# auditctl -l
AUDIT_LIST: exit,always syscall=open
No watches
[root@liltux ~]# auditctl -aexit,always -S open
[root@liltux ~]# auditctl -l
AUDIT_LIST: exit,always syscall=open
AUDIT_LIST: exit,always syscall=open
-tim
-Steve
--
Linux-audit mailing list
Linux-audit(a)redhat.com
http://www.redhat.com/mailman/listinfo/linux-audit