audit.36 kernel

Mon May 16 15:27:10 UTC 2005

On Monday 16 May 2005 11:02, Loulwa Salem wrote:
> I am still seeing some problems with missing watch records

Me, too.  Using the i686 .36 kernel:

[root at endeavor ~]# /etc/rc.d/init.d/auditd stop
Stopping auditd:                                           [  OK  ]
[root at endeavor ~]# rm -f /var/log/audit/audit.log
[root at endeavor ~]# /etc/rc.d/init.d/auditd start
Starting auditd:                                           [  OK  ]
[root at endeavor ~]# auditctl -l
No rules
No watches
[root at endeavor ~]# auditctl -w /etc/passwd -k fk_passwd -p rwea
No rules
AUDIT_WATCH_LIST: dev=3:2, path=/etc/passwd, filterkey=fk_passwd, perms=15, 
valid=0
[root at endeavor ~]# cat /etc/passwd >/dev/null
[root at endeavor ~]# tail /var/log/audit/audit.log
type=DAEMON_START msg=audit(1116256955.597:932) auditd start, ver=0.8.1, 
format=raw, uid=4325, auditd pid=2751
type=CONFIG_CHANGE msg=audit(1116256955.810:0): audit_enabled=1 old=1 by auid 
4325
type=CONFIG_CHANGE msg=audit(1116256956.013:0): audit_backlog_limit=1024 
old=1024 by auid 4325
type=CONFIG_CHANGE msg=audit(1116256965.066:0): auid 4325 inserted watch
[root at endeavor ~]# auditctl -W /etc/passwd -k fk_passwd -p rwea
No rules
No watches