Re: audit.36 kernel
On Monday 16 May 2005 10:27, Steve Grubb wrote:
On Monday 16 May 2005 11:02, Loulwa Salem wrote:
> I am still seeing some problems with missing watch records
Me, too. Using the i686 .36 kernel:
[root@endeavor ~]# /etc/rc.d/init.d/auditd stop
Stopping auditd: [ OK ]
[root@endeavor ~]# rm -f /var/log/audit/audit.log
[root@endeavor ~]# /etc/rc.d/init.d/auditd start
Starting auditd: [ OK ]
[root@endeavor ~]# auditctl -l
No rules
No watches
[root@endeavor ~]# auditctl -w /etc/passwd -k fk_passwd -p rwea
No rules
AUDIT_WATCH_LIST: dev=3:2, path=/etc/passwd, filterkey=fk_passwd, perms=15,
valid=0
[root@endeavor ~]# cat /etc/passwd >/dev/null
[root@endeavor ~]# tail /var/log/audit/audit.log
type=DAEMON_START msg=audit(1116256955.597:932) auditd start, ver=0.8.1,
format=raw, uid=4325, auditd pid=2751
type=CONFIG_CHANGE msg=audit(1116256955.810:0): audit_enabled=1 old=1 by
auid 4325
type=CONFIG_CHANGE msg=audit(1116256956.013:0): audit_backlog_limit=1024
old=1024 by auid 4325
type=CONFIG_CHANGE msg=audit(1116256965.066:0): auid 4325 inserted watch
[root@endeavor ~]# auditctl -W /etc/passwd -k fk_passwd -p rwea
No rules
No watches
--
Linux-audit mailing list
Linux-audit(a)redhat.com
http://www.redhat.com/mailman/listinfo/linux-audit
interesting... i'm not seeing these problems (not at least, with the latest
update patch I replied to the #7U5 thread with)... let me look into it deeper
-tim