Re: auditctl: how do I remove a watch?
On Monday, November 08, 2010 08:39:30 pm Mike Nixon wrote:
This might be a dumb question but why not just manually edit the
audit.rules file using 'vi' or some other text editor instead of using
auditctl?
For permanent changes, I think that is what you want to do. But there may be times
when you are short on disk space and want to pull one, or maybe you were experimenting
and now you want to remove what you put in. :)
But this reminds me that we should have some capability to compare the rules file with
what's in the kernel.
-Steve