audit 0.6.10 released
Steve Grubb
sgrubb at redhat.com
Tue Apr 5 20:17:14 UTC 2005
On Tuesday 05 April 2005 15:26, Debora Velarde wrote:
> For the new 'arch' field. Would this be the correct auditctl usage?
In a word. No.
I just looked at the arch patch to the kernel. I think I'll need to do some
work on auditctl. There's a lot of defines getting or'd together and that
just won't work for what you want.
David, how did you intend userspace to compute a correct value? For example,
my 2 bit machine has arch=40000003.
I also just noticed that success is now "yes" or "no". It was 0 and 1. When
someone does this:
-a entry,always -S open -F success!=0
The logs no longer match.
Both of these changes should have been announced on this mail list in case
there are impacts. I have to document this stuff in the auditctl man pages,
too.
-Steve
More information about the Linux-audit
mailing list