Re: Bypassing audit's file watches

Steve wrote: [Fri Jul 07 2006, 10:58:42AM EDT] > I have found that I can modify files that are being watched and audit > not catch it (ie. no events are dispatched). When monitoring a file for > all system calls, I can: > > echo "" > /file/to/watch > > or > > cat some_file > /file/to/watch > > without generating audit events. Are you seeing the open and not the write, or no records at all? If you are missing events for open() calls, please let us know since that would be a bug (versus a lacking feature).