Re: Basic audit test fails
On 3/22/06, Steve Brueckner <steve(a)atc-nycorp.com> wrote:
I'm having trouble getting started with audit on FC4.
First, it appears I don't have file watch enabled in my kernel. Is file
watch enabled in the FC5 kernel, or still only in RHEL?
It is only enabled in the RHEL-4 kernels. The patch for this was not
accepted upstream and is being reworked for inclusion in 2.6.17/18
timeframe (if I have my notes correct). I am not sure that the below
would work without the file patches.
Second, I tried a basic test to audit files opened by a specific user
(per
the auditctl man page) but it doesn't seem to work:
--
Stephen J Smoogen.
CSIRT/Linux System Administrator