Re: audit.47

On Mon, 2005-05-23 at 11:31 -0400, Peter Martuccelli wrote: with auditctl from audit-0.8.2-2 auditctl -D deletes all rules, but not all watch lists. is there an equivalent to -D to delete all watch lists? is it possible to make -D also delete watch lists? for now i added a loop to clear these lists in my auditd init script: --- /etc/init.d/auditd.orig 2005-05-23 13:34:08.819954823 -0400 +++ /etc/init.d/auditd 2005-05-23 13:41:35.517872333 -0400 @@ -71,6 +71,13 @@ stop(){ killproc $prog RETVAL=$? echo + + # remove stale watches + for watch in `/sbin/auditctl -l | /bin/grep ^AUDIT_WATCH_LIST | /bin/awk -Fpath= '{print $2}' | /bin/awk -F, '{print $1}'` + do + /sbin/auditctl -W ${watch} >/dev/null + done + rm -f /var/lock/subsys/auditd return $RETVAL } also, i managed to trigger an oops with audit.47, which i have not been able to repeat. i'll attach it in case it is useful. and thanks peter, i appear to be all set up. rob.