[RFC][PATCH] (#6) filesystem auditing
Steve Grubb
sgrubb at redhat.com
Thu Mar 17 18:19:11 UTC 2005
On Wednesday 16 March 2005 11:52, Timothy R. Chavez wrote:
> So then when you do,
>
> ./auditctl -w /etc/passwd -k fk_passwd_f
Thanks David for the new kernel...I can finally test. :)
Then you get one of these in /var/log/messages, too:
Mar 17 13:09:23 localhost kernel: Pushed data on cache stack
The audit.log also does not show that a rule was entered. Adding a watch
alters the config and a message should be sent indicating that a watch was
added. For example, adding a normal rule causes this to show up in the logs:
type=KERNEL msg=audit(1111083333.271:0): auid 525 added an audit rule
Also, when a rule is deleted, you get this kind of message:
Mar 17 13:10:49 localhost kernel: Popped data off cache stack
These messages about the cache stack might alarm people who aren't used to
seeing them.
-Steve
More information about the Linux-audit
mailing list