Audit rules keys
Steve Grubb
sgrubb at redhat.com
Tue Aug 21 15:55:45 UTC 2007
On Tuesday 21 August 2007 11:39:51 Linda Knippers wrote:
> > Using system-config-audit getting key (-k) configuration errors when
> > saving changes.
> >
> > [root at localhost ~]# Stopping auditd: [ OK ]
> > Starting auditd: [ OK ]
> > key option needs a watch or syscall given prior to it
>
> This is telling you that the -k flag needs to be after a -S
> flag. I don't know why the order matters but apparently it does.
Correct. It matters because originally keys were only associated with watches.
So, I needed the rule writer to declare that this is going to be a syscall or
watch rule so that I can error check appropriately.
Keys do not apply to rules like, -b or -e, so I still want to see the rule
type ahead of a key option so that errors are caught.
-Steve
More information about the Linux-audit
mailing list