audit 0.9.4 released
Loulwa Salem
loulwas at us.ibm.com
Mon Jun 13 15:50:00 UTC 2005
Steve Grubb wrote:
> This update represents that last feature (sighup) being added for the CAPP
> development work. At this point, I think we are at a point where we need lots
> of testing, bug reports, and review of man pages.
the new auditctl (0.9.4) is returning a 1 on a successful insert or
remove of a watch ... My tests checks for the return code so I know that
was not the case in the previous version.
I am running kernel.56
Example:
[root at comp loulwa]# auditctl -l
No rules
AUDIT_WATCH_LIST: dev=253:0, path=/tmp/foo, filterkey=key-key, perms=,
valid=0
[root at comp loulwa]# auditctl -W /tmp/foo
[root at comp loulwa]# echo $?
1
[root at comp loulwa]# auditctl -l
No rules
No watches
[root at comp loulwa]# auditctl -w /tmp/new_file -k test-key
[root at comp loulwa]# echo $?
1
[root at comp loulwa]# auditctl -l
No rules
AUDIT_WATCH_LIST: dev=253:0, path=/tmp/new_file, filterkey=test-key,
perms=, valid=0
- loulwa
More information about the Linux-audit
mailing list