audit.36 kernel
Timothy R. Chavez
tinytim at us.ibm.com
Mon May 16 15:36:38 UTC 2005
On Monday 16 May 2005 10:27, Steve Grubb wrote:
> On Monday 16 May 2005 11:02, Loulwa Salem wrote:
> > I am still seeing some problems with missing watch records
>
> Me, too. Using the i686 .36 kernel:
>
> [root at endeavor ~]# /etc/rc.d/init.d/auditd stop
> Stopping auditd: [ OK ]
> [root at endeavor ~]# rm -f /var/log/audit/audit.log
> [root at endeavor ~]# /etc/rc.d/init.d/auditd start
> Starting auditd: [ OK ]
> [root at endeavor ~]# auditctl -l
> No rules
> No watches
> [root at endeavor ~]# auditctl -w /etc/passwd -k fk_passwd -p rwea
> No rules
> AUDIT_WATCH_LIST: dev=3:2, path=/etc/passwd, filterkey=fk_passwd, perms=15,
> valid=0
> [root at endeavor ~]# cat /etc/passwd >/dev/null
> [root at endeavor ~]# tail /var/log/audit/audit.log
> type=DAEMON_START msg=audit(1116256955.597:932) auditd start, ver=0.8.1,
> format=raw, uid=4325, auditd pid=2751
> type=CONFIG_CHANGE msg=audit(1116256955.810:0): audit_enabled=1 old=1 by
> auid 4325
> type=CONFIG_CHANGE msg=audit(1116256956.013:0): audit_backlog_limit=1024
> old=1024 by auid 4325
> type=CONFIG_CHANGE msg=audit(1116256965.066:0): auid 4325 inserted watch
> [root at endeavor ~]# auditctl -W /etc/passwd -k fk_passwd -p rwea
> No rules
> No watches
>
> --
> Linux-audit mailing list
> Linux-audit at redhat.com
> http://www.redhat.com/mailman/listinfo/linux-audit
interesting... i'm not seeing these problems (not at least, with the latest
update patch I replied to the #7U5 thread with)... let me look into it deeper
-tim
More information about the Linux-audit
mailing list