auditctl: how do I remove a watch?
Steve Grubb
sgrubb at redhat.com
Tue Nov 9 02:27:33 UTC 2010
On Monday, November 08, 2010 08:39:30 pm Mike Nixon wrote:
> This might be a dumb question but why not just manually edit the
> audit.rules file using 'vi' or some other text editor instead of using
> auditctl?
For permanent changes, I think that is what you want to do. But there may be times
when you are short on disk space and want to pull one, or maybe you were experimenting
and now you want to remove what you put in. :)
But this reminds me that we should have some capability to compare the rules file with
what's in the kernel.
-Steve
More information about the Linux-audit
mailing list