Audit rule that applies when auid >= 500
Steve Grubb
sgrubb at redhat.com
Mon Aug 6 22:19:20 UTC 2007
On Monday 06 August 2007 09:48:41 am Søren Olesen wrote:
> [root at localhost audit]# auditctl -v
> auditctl version 1.3.1
There may have been a bug in that version. I remember a problem where it
wasn't upgrading the rule from the old kind to the new kind correctly. (It
tries to use the old rule style for communicating with the kernel for
backward compatibility with old kernels - pre-2.6.16) There is slightly newer
RHEL5 audit packages here:
http://people.redhat.com/sgrubb/files/lspp/
But the RHEL5.1 package 1.5.5-5 should work fine:
# auditctl -a exit,always -S open -F "auid>=500"
# auditctl -l
LIST_RULES: exit,always auid>=500 (0x1f4) syscall=open
-Steve
More information about the Linux-audit
mailing list