[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: audit 0.9.12 released



On Thu, 2005-06-23 at 12:47 -0500, Loulwa Salem wrote:
>         auditctl -a watch,always -F auid=uid1
>         auditctl -a watch,never -F auid=uid2
> 
> Neither seems to work .. in the log I still see watch records for open
> on the watched file generated by both users!!

Watch filters should have a syscall. If you didn't specify any, then I'd
guess that neither of those rules are matching, so you're getting the
default behaviour.

-- 
dwmw2


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]