[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: audit 0.6 release



On Thursday 06 January 2005 17:40, Steve Grubb wrote:
> assuming user x is uid 501
> auditctl -a entry always -S unlink -F uid=501 arg0=file

This doesn't work. a0 doesn't take strings. you can lookup the inode for the 
file (if it doesn't change much). Should be something more like this:

auditctl -a entry,always -S unlink -F uid=501 -F success!=0 -F inode=12345

But the success flag just doesn't seem to be working right, either...

-Steve Grubb


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]