file watch result help
LC Bruzenak
lenny at magitekltd.com
Mon Jul 21 13:39:14 UTC 2008
On Mon, 2008-07-21 at 13:16 +0800, zhangxiliang wrote:
> >
> > So the file is getting moved to a temp file and then back (is the
> > prelink doing this?) with the result being that the CAP is erased.
> >
> > Not certain what is doing this in my system.
> > Any clues or instructions on how to narrow the search?
>
> Could you supply the audit message which type is "AUDIT_CONFIG_CHANGE" in your result?
[root at hugo ~]# ausearch -i -k AUDIT_CONFIG_CHANGE
<no matches>
Thank you for the reply, however there was no config change after I
installed this file.
The action is happening automatically, since it occurred at 4AM.
I suspect that the prelink cron job is doing this.
LCB.
--
LC (Lenny) Bruzenak
lenny at magitekltd.com
More information about the Linux-audit
mailing list