ausearch / policy question
Steve Grubb
sgrubb at redhat.com
Thu Jul 24 19:12:16 UTC 2008
On Wednesday 23 July 2008 18:30:45 LC Bruzenak wrote:
> So my questions are:
> 1: duplicate records above - expected or correct since there were two
> matches - the AVC and also the command?
you'd have to look at the logs to figure that out. ausearch doesn't buffer
events past one miscompare.
> 2: why is ausearch producing the AVCs?
Maybe you need to be secadmin or auditadmin?
-Steve
More information about the Linux-audit
mailing list