duplicate watches
Amy Griffis
amy.griffis at hp.com
Tue Jul 26 21:37:39 UTC 2005
Timothy R. Chavez wrote: [Tue Jul 26 2005, 05:23:43PM EDT]
> This isn't a userspace issue, but do you think this should be permitted? I'd
> expect a "Rule already exists" type error *shrug*
>
> [root at liltux ~]# auditctl -aexit,always -S open
> [root at liltux ~]# auditctl -l
> AUDIT_LIST: exit,always syscall=open
> No watches
> [root at liltux ~]# auditctl -aexit,always -S open
> [root at liltux ~]# auditctl -l
> AUDIT_LIST: exit,always syscall=open
> AUDIT_LIST: exit,always syscall=open
I just found this as well:
# auditctl -w /tmp
# auditctl -w /tmp/
# auditctl -l
No rules
AUDIT_WATCH_LIST: dev=8:6, path=/tmp, filterkey=, perms=, valid=0
AUDIT_WATCH_LIST: dev=8:6, path=/tmp/, filterkey=, perms=, valid=0
More information about the Linux-audit
mailing list