Re: Sample Rules

--- Valdis.Kletnieks(a)vt.edu wrote: You are correct. It won't even take long. Chuckle. Irix does not have audit classes. This is for the simple reason that Solaris does and the lesson learned is that it is impossible to find any two people who can agree on what should be grouped together. On Irix you have to tell it what events you want. http://techpubs.sgi.com/library/tpl/cgi-bin/getdoc.cgi/srch5@audit/0650/b... Of course, neither system audits on a system call basis. Events are selected by the policy enforced. This may confound those who don't realize that because of this policy perspective turning on audit for chown() will also enable audit for chmod(). Chown and chmod are controlled by the file-system-object-attribute-write policy. You can (on those U2X systems) monitor that policy's enforcement in the kernel but if you want to audit all calls to chmod you need to watch that policy and filter out all other system call records. ===== Casey Schaufler casey(a)schaufler-ca.com __________________________________ Do you Yahoo!? Yahoo! Mail - 250MB free storage. Do more. Manage less. http://info.mail.yahoo.com/mail_250