audit 0.9.12 released
Steve Grubb
sgrubb at redhat.com
Thu Jun 23 11:19:40 UTC 2005
On Wednesday 22 June 2005 21:51, Loulwa Salem wrote:
> Steve Grubb wrote:
> > This version also corrects user &
> > watch list filtering.
> >
> > Please let me know if there are any problems.
>
> when adding auid filters on watches .. and executing "auditclt -l" I
> don't see a list of the newly added filter rules ... Is that the
> behavior you intended?
[root at endeavor ~]# auditctl -a watch,never -F loginuid=500
[root at endeavor ~]# auditctl -l
AUDIT_LIST: watch,never auid=500 (0x1f4) syscall=
No watches
[root at endeavor ~]# auditctl -D
No rules
No watches
Works for me. ??
> Also .. the above commands don't seem to be actually filtering .. so I
> don't know if that is because the mechanism might not be working, or
> maybe the filters aren't getting inserted since I don't see them in the
> listing ..
Not sure. David, have you played with the latest auditctl and checked
everything out? For example, I just tried this and hung the machine:
auditctl -a watch,never -F loginuid=-1
auditctl -a entry,always -S all
It locked up the machine solid. No flashing disk lights and caps lock key
didn't toggle light.
-Steve
More information about the Linux-audit
mailing list