what's in the works
Steve Grubb
sgrubb at redhat.com
Mon Mar 28 21:57:25 UTC 2005
On Monday 28 March 2005 15:34, Timothy R. Chavez wrote:
> What good would dumping the watch information be if you don't know where
> the watch trully is in the filesystem?
So that you can delete it or see what is supposed to be in-kernel.
> Shouldn't that also be important?
Yes and no. The reason you dump the list is to confirm that watches were
loaded, or to jog your memory as you delete one, or maybe you want to see if
a watch already exists before you add another. You also might dump a list in
troubleshooting to see why an audit event isn't being detected. In all cases
you at least want the information that was sent into the kernel.
Can you explicitly state the namespace or device when you load a watch? Or
does the device and namespace get implicitly bound to the path by virtue of
who loaded the watch and at what time? Or does the watch work for all name
spaces and devices? (This topic needs to be documented for the man page.)
If there's an implicit binding, I can see why you might want that info during
troubleshooting. But its not the same as getting a list for the purpose of
deleting one.
-Steve
More information about the Linux-audit
mailing list