audit 0.9.12 released
David Woodhouse
dwmw2 at infradead.org
Thu Jun 23 18:09:49 UTC 2005
On Thu, 2005-06-23 at 12:47 -0500, Loulwa Salem wrote:
> auditctl -a watch,always -F auid=uid1
> auditctl -a watch,never -F auid=uid2
>
> Neither seems to work .. in the log I still see watch records for open
> on the watched file generated by both users!!
Watch filters should have a syscall. If you didn't specify any, then I'd
guess that neither of those rules are matching, so you're getting the
default behaviour.
--
dwmw2
More information about the Linux-audit
mailing list