File system audit loses watches
Steve Grubb
sgrubb at redhat.com
Tue Jun 7 17:33:37 UTC 2005
Hi,
>From a session I just run on the .56 kernel:
[root at endeavor ~]# auditctl -w /media/cdrecorder/eula.txt -k test -p wrea
No rules
AUDIT_WATCH_LIST: dev=22:64, path=/media/cdrecorder/eula.txt, filterkey=test,
perms=rwea, valid=0
[root at endeavor ~]# auditctl -l
No rules
AUDIT_WATCH_LIST: dev=22:64, path=/media/cdrecorder/eula.txt, filterkey=test,
perms=rwea, valid=0
[root at endeavor ~]# eject
[root at endeavor ~]# auditctl -l
No rules
No watches
Looking through the audit logs, the is one CONFIG_CHANGE record with watch
insert. No records with watch remove. The removal of a rule is a config
change and should have a corresponding audit event. But...rules should never
be lost unless they are explicitly deleted by the admin should they?
-Steve
More information about the Linux-audit
mailing list