Re: audit 0.9.12 released
On Wednesday 22 June 2005 21:51, Loulwa Salem wrote:
Steve Grubb wrote:
> This version also corrects user &
> watch list filtering.
>
> Please let me know if there are any problems.
when adding auid filters on watches .. and executing "auditclt -l" I
don't see a list of the newly added filter rules ... Is that the
behavior you intended?
[root@endeavor ~]# auditctl -a watch,never -F loginuid=500
[root@endeavor ~]# auditctl -l
AUDIT_LIST: watch,never auid=500 (0x1f4) syscall=
No watches
[root@endeavor ~]# auditctl -D
No rules
No watches
Works for me. ??
Also .. the above commands don't seem to be actually filtering ..
so I
don't know if that is because the mechanism might not be working, or
maybe the filters aren't getting inserted since I don't see them in the
listing ..
Not sure. David, have you played with the latest auditctl and checked
everything out? For example, I just tried this and hung the machine:
auditctl -a watch,never -F loginuid=-1
auditctl -a entry,always -S all
It locked up the machine solid. No flashing disk lights and caps lock key
didn't toggle light.
-Steve