proposed interface changes for filesystem audit
Steve Grubb
sgrubb at redhat.com
Wed Nov 2 21:22:20 UTC 2005
On Wednesday 02 November 2005 16:10, Amy Griffis wrote:
> auditctl -a exit,always -S all -F path=/home/watchme
Thanks. That helps clarify it for me.
> These two rules would be functionally equivalent, but the first is
> more convenient:
>
> auditctl -a exit,always -S fs-remove -F path=/home/watchme
> auditctl -a exit,always -S rename -S rmdir -S unlink -F path=/home/watchme
Does your patch change the kernel to accept multiple syscalls in an audit
rule? Currently, we have 1 syscall per rule.
-Steve
More information about the Linux-audit
mailing list