SELinux for auditing
Steve Grubb
sgrubb at redhat.com
Sat Feb 17 00:14:54 UTC 2007
On Thursday 01 February 2007 09:59:00 Stephen Smalley wrote:
> > Assuming current generation of audit code...
> >
> > auditctl -a exit,always -F perm=w -F obj_type=sbin_t -k executables
>
> Hmmm...on FC6, that yields an error from auditctl:
> key option needs a watch or syscall given prior to it
>
> Dropping the -k option avoids the error message, but overwriting a bin_t
> file doesn't generate any audit message.
This turned out to be a bug in libaudit which was fixed in 1.4.1. It should
work as I stated above when you upgrade. If not, let me know...
-Steve
More information about the Linux-audit
mailing list