Re: audit 0.9.12 released
On Thu, 2005-06-23 at 12:47 -0500, Loulwa Salem wrote:
auditctl -a watch,always -F auid=uid1
auditctl -a watch,never -F auid=uid2
Neither seems to work .. in the log I still see watch records for open
on the watched file generated by both users!!
Watch filters should have a syscall. If you didn't specify any, then I'd
guess that neither of those rules are matching, so you're getting the
default behaviour.
--
dwmw2