[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

File system audit loses watches



Hi,

>From a session I just run on the .56 kernel:

[root endeavor ~]# auditctl -w /media/cdrecorder/eula.txt -k test -p wrea
No rules
AUDIT_WATCH_LIST: dev=22:64, path=/media/cdrecorder/eula.txt, filterkey=test, 
perms=rwea, valid=0
[root endeavor ~]# auditctl -l
No rules
AUDIT_WATCH_LIST: dev=22:64, path=/media/cdrecorder/eula.txt, filterkey=test, 
perms=rwea, valid=0
[root endeavor ~]# eject
[root endeavor ~]# auditctl -l
No rules
No watches

Looking through the audit logs, the is one CONFIG_CHANGE record with watch 
insert. No records with watch remove. The removal of a rule is a config 
change and should have a corresponding audit event. But...rules should never 
be lost unless they are explicitly deleted by the admin should they?

-Steve


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]