[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: auditctl: how do I remove a watch?



On Mon, Nov 8, 2010 at 1:20 PM, Steve Grubb <sgrubb redhat com> wrote:
On Monday, November 08, 2010 12:27:47 pm Michael Convey wrote:
> # auditctl -l
> LIST_RULES: exit,always watch=/etc/hosts perm=rwa key=hosts-file
> LIST_RULES: exit,always watch=/etc/resolv.conf perm=wa key=resolv
> # auditctl -W /etc/hosts
> Error sending delete rule data request (No such file or directory)
>
> What am I doing wrong?

You have to match each field in the rule:

[root ~]# auditctl -w /etc/hosts -p wa -k hosts-file
[root ~]# auditctl -l
LIST_RULES: exit,always watch=/etc/hosts perm=wa key=hosts-file
[root ~]# auditctl -W /etc/hosts -p wa -k hosts-file
[root ~]# auditctl -l
No rules


-Steve


Worked perfectly, thanks!!

Perhaps someone could update the man page to make this more clear. The man page indicates "-W" and "path" are the only arguments needed.

Mike

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]