[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: adding syscall rules



On Wednesday 08 June 2005 17:10, Amy Griffis wrote:

> When adding the 31st rule, the 'No watches' message is not printed
> following the auditctl command to add the rule, or any subsequent
> auditctl -l calls.  This seems to happen for any number of rules
> greater than 30.

I fixed this today. There is a timeout counter that triggers on 30 times 
around the loop. It wasn't always getting reset. Will be in 0.9.3.

> When the 61st rule is added, it does not appear in the rules list when
> adding the rule, or any following auditctl -l calls.  60 seems to be
> the maximum number of rules that can be listed.  I do see an 'added an
> audit rule' message in the audit log for the 61st rule, and can
> generate audit records from it.

Probably related to the above.

> On a related note, I've been working on putting together a default
> CAPP configuration that can be loaded via auditctl, similar to LAuS's
> filter.conf file.  Has anyone else been working on this?  

I think it would be useful for a sample configuration to be available for 
system admin's to customize.

-Steve


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]