File system audit loses watches
David Woodhouse
dwmw2 at infradead.org
Tue Jun 7 20:34:28 UTC 2005
On Tue, 2005-06-07 at 13:33 -0400, Steve Grubb wrote:
> Looking through the audit logs, the is one CONFIG_CHANGE record with watch
> insert. No records with watch remove. The removal of a rule is a config
> change and should have a corresponding audit event. But...rules should never
> be lost unless they are explicitly deleted by the admin should they?
Same answer as last time you asked the question. The rule is tied to the
directory, and when the directory goes away the watch does too.
--
dwmw2
More information about the Linux-audit
mailing list