<html><body> Hi Steve, For the new 'arch' field. Would this be the correct auditctl usage? To audit 32bit chmod syscall: auditctl -a exit,always -S chmod -F arch=32 To audit 64bit chmod syscall: auditctl -a exit,always -S chmod -F arch=64 Can you also do: auditctl -a entry,always -S 15 -F arch=32 Thanks! debbie <tt>linux-audit-bounces@redhat.com wrote on 04/01/2005 01:39:00 PM: > Hello, </tt> <tt>> Another audit package has been released. This release is mostly code cleanups > and getting things finalized for Fedora Core 4. It can be downloaded from > <a href="http://people.redhat.com/sgrubb/audit">http://people.redhat.com/sgrubb/audit</a> </tt> <tt>> The changelog includes: </tt> <tt>> - Code cleanups > - Support the arch field for auditctl > - Add version to auditctl command > - Documentation updates > - Moved default location of the audit log to /var/log/audit/audit.log </tt> <tt>> The default location for the audit log was moved for a couple reasons. We want > to put it in a place that could be used as a mount point. People doing any > serious auditing need to have a partition set aside just for auditing. This > move, by default, will make it easier for people to do that. We also wanted > to put it in its own directory so that we can add some SE Linux policy later > to protect the logs. </tt> <tt>> The audit watch list code is not in this release. I feel that we still need to > discuss the way it needs to work and solidify that before I put it into the > FC4 distribution. The watch add & remove I think are fine and the code is > included so that one day when this gets upstream and that kernel gets > released, everyone can start using it. </tt> <tt>> Let me know if there are any problems with this latest release. </tt> <tt>> Thanks, > -Steve Grubb </tt> <tt>> -- > Linux-audit mailing list > Linux-audit@redhat.com > <a href="http://www.redhat.com/mailman/listinfo/linux-audit">http://www.redhat.com/mailman/listinfo/linux-audit</a></tt></body></html>