auditctl bug: load rules from file
Timothy R. Chavez
tinytim at us.ibm.com
Tue Jul 26 21:23:43 UTC 2005
On Tuesday 26 July 2005 16:11, Steve Grubb wrote:
> On Tuesday 26 July 2005 16:48, Amy Griffis wrote:
> > # auditctl -a entry,always open
> >
> > # auditctl -l
> > AUDIT_LIST: entry,always syscall=all
> > No watches
>
> jeez. I wished this was reported a long time ago. This behavior has probably
> been there from the beginning. I'm glad you are reporting it. Adding to TODO
> list...
>
This isn't a userspace issue, but do you think this should be permitted? I'd
expect a "Rule already exists" type error *shrug*
[root at liltux ~]# auditctl -aexit,always -S open
[root at liltux ~]# auditctl -l
AUDIT_LIST: exit,always syscall=open
No watches
[root at liltux ~]# auditctl -aexit,always -S open
[root at liltux ~]# auditctl -l
AUDIT_LIST: exit,always syscall=open
AUDIT_LIST: exit,always syscall=open
-tim
> -Steve
>
> --
> Linux-audit mailing list
> Linux-audit at redhat.com
> http://www.redhat.com/mailman/listinfo/linux-audit
>
>
More information about the Linux-audit
mailing list