Re: audit 0.6 release
On Thursday 06 January 2005 17:40, Steve Grubb wrote:
assuming user x is uid 501
auditctl -a entry always -S unlink -F uid=501 arg0=file
This doesn't work. a0 doesn't take strings. you can lookup the inode for the
file (if it doesn't change much). Should be something more like this:
auditctl -a entry,always -S unlink -F uid=501 -F success!=0 -F inode=12345
But the success flag just doesn't seem to be working right, either...
-Steve Grubb