This might be a dumb question but why not just manually edit the audit.rules file using 'vi' or some other text editor instead of using auditctl?

-M.

On Mon, Nov 8, 2010 at 4:20 PM, Steve Grubb <sgrubb@redhat.com> wrote:
On Monday, November 08, 2010 12:27:47 pm Michael Convey wrote:
> # auditctl -l
> LIST_RULES: exit,always watch=/etc/hosts perm=rwa key=hosts-file
> LIST_RULES: exit,always watch=/etc/resolv.conf perm=wa key=resolv
> # auditctl -W /etc/hosts
> Error sending delete rule data request (No such file or directory)
>
> What am I doing wrong?

You have to match each field in the rule:

[root ~]# auditctl -w /etc/hosts -p wa -k hosts-file
[root ~]# auditctl -l
LIST_RULES: exit,always watch=/etc/hosts perm=wa key=hosts-file
[root ~]# auditctl -W /etc/hosts -p wa -k hosts-file
[root ~]# auditctl -l
No rules


-Steve

--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit