audit 1.2.2 released
Michael C Thompson
thompsmc at us.ibm.com
Wed May 17 21:43:10 UTC 2006
Steve Grubb wrote:
> On Wednesday 17 May 2006 17:12, Michael C Thompson wrote:
>>> Please let me know if there are any problems with this release.
>> auditctl -a entry,always -S chmod -F "watch=/root/file"
>>
>> This fails... how is one supposed to use the new 'watch' field filter?
>
> This was already reported on SE Linux mail list last week. The short answer is
> that policy needs to be adjusted to make this work. I don't know if the
> changes have been rolled out yet. Just as a test, try "setenforce 0" and then
> load the audit rule.
The above command was tried in permissive mode. The resulting error is:
# auditctl -a entry,always -S chmod -F "watch=/root/file"
-F unknown field: watch=/root/file
Thanks,
Mike
More information about the Linux-audit
mailing list