audit 0.6 release

Steve Grubb sgrubb at redhat.com
Thu Jan 6 23:19:35 UTC 2005


On Thursday 06 January 2005 17:40, Steve Grubb wrote:
> assuming user x is uid 501
> auditctl -a entry always -S unlink -F uid=501 arg0=file

This doesn't work. a0 doesn't take strings. you can lookup the inode for the 
file (if it doesn't change much). Should be something more like this:

auditctl -a entry,always -S unlink -F uid=501 -F success!=0 -F inode=12345

But the success flag just doesn't seem to be working right, either...

-Steve Grubb




More information about the Linux-audit mailing list