audit.36 kernel
Steve Grubb
sgrubb at redhat.com
Mon May 16 15:27:10 UTC 2005
On Monday 16 May 2005 11:02, Loulwa Salem wrote:
> I am still seeing some problems with missing watch records
Me, too. Using the i686 .36 kernel:
[root at endeavor ~]# /etc/rc.d/init.d/auditd stop
Stopping auditd: [ OK ]
[root at endeavor ~]# rm -f /var/log/audit/audit.log
[root at endeavor ~]# /etc/rc.d/init.d/auditd start
Starting auditd: [ OK ]
[root at endeavor ~]# auditctl -l
No rules
No watches
[root at endeavor ~]# auditctl -w /etc/passwd -k fk_passwd -p rwea
No rules
AUDIT_WATCH_LIST: dev=3:2, path=/etc/passwd, filterkey=fk_passwd, perms=15,
valid=0
[root at endeavor ~]# cat /etc/passwd >/dev/null
[root at endeavor ~]# tail /var/log/audit/audit.log
type=DAEMON_START msg=audit(1116256955.597:932) auditd start, ver=0.8.1,
format=raw, uid=4325, auditd pid=2751
type=CONFIG_CHANGE msg=audit(1116256955.810:0): audit_enabled=1 old=1 by auid
4325
type=CONFIG_CHANGE msg=audit(1116256956.013:0): audit_backlog_limit=1024
old=1024 by auid 4325
type=CONFIG_CHANGE msg=audit(1116256965.066:0): auid 4325 inserted watch
[root at endeavor ~]# auditctl -W /etc/passwd -k fk_passwd -p rwea
No rules
No watches
More information about the Linux-audit
mailing list