Basic audit test fails
Stephen J. Smoogen
smooge at gmail.com
Wed Mar 22 20:41:21 UTC 2006
On 3/22/06, Steve Brueckner <steve at atc-nycorp.com> wrote:
> I'm having trouble getting started with audit on FC4.
>
> First, it appears I don't have file watch enabled in my kernel. Is file
> watch enabled in the FC5 kernel, or still only in RHEL?
>
It is only enabled in the RHEL-4 kernels. The patch for this was not
accepted upstream and is being reworked for inclusion in 2.6.17/18
timeframe (if I have my notes correct). I am not sure that the below
would work without the file patches.
> Second, I tried a basic test to audit files opened by a specific user (per
> the auditctl man page) but it doesn't seem to work:
>
--
Stephen J Smoogen.
CSIRT/Linux System Administrator
More information about the Linux-audit
mailing list