audit 0.6 release
Steve Grubb
sgrubb at redhat.com
Thu Jan 6 23:19:35 UTC 2005
On Thursday 06 January 2005 17:40, Steve Grubb wrote:
> assuming user x is uid 501
> auditctl -a entry always -S unlink -F uid=501 arg0=file
This doesn't work. a0 doesn't take strings. you can lookup the inode for the
file (if it doesn't change much). Should be something more like this:
auditctl -a entry,always -S unlink -F uid=501 -F success!=0 -F inode=12345
But the success flag just doesn't seem to be working right, either...
-Steve Grubb
More information about the Linux-audit
mailing list