Fwd: Possible regression
4javier
4javiereg4 at gmail.com
Thu Jun 2 18:14:40 UTC 2011
---------- Forwarded message ----------
From: 4javier <4javiereg4 at gmail.com>
Date: 2011/6/2
Subject: Re: Possible regression
To: Steve Grubb <sgrubb at redhat.com>
root at Archbox /home/javier $ touch /tmp/test
root at Archbox /home/javier $ cat /tmp/test
root at Archbox /home/javier $ auditctl -w /tmp/test -p wa
root at Archbox /home/javier $ echo ppp >> /tmp/test
root at Archbox /home/javier $ cat /tmp/test
ppp
root at Archbox /home/javier $ ausearch -i -f /tmp/test
<no matches>
root at Archbox /home/javier $ auditctl -l
LIST_RULES: exit,always watch=/tmp/test perm=wa
root at Archbox /home/javier $ echo ppp > /tmp/test
root at Archbox /home/javier $ ausearch -i -f /tmp/test
<no matches>
root at Archbox /home/javier $ ausearch -f /tmp/test
<no matches>
As you can see from auditcrl -l output, rule seems to be correctly set, but
ausearch doesn't show anything.
2011/6/2 Steve Grubb <sgrubb at redhat.com>
> On Thursday, June 02, 2011 09:45:38 AM you wrote:
> > you're right...sorry for my fault...
> > I didn't use the -a switch. I read the man, but I cannot understand how
> > this settings is able to fix the problem with O_CREAT.
> > Could you explain that to me, please?
>
> As far as I know, the problem was fixed in 2006 and there has been no
> regression. The -
> w command is translated into -a always,exit -F path= under the hood. Its
> been this way
> since watches were deprecated around 2005/2006.
>
> How were you testing? You might have found a bug and I just don't know how
> to
> reproduce it.
>
> -Steve
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/linux-audit/attachments/20110602/89abeaf4/attachment.htm>
More information about the Linux-audit
mailing list