file watch result help
zhangxiliang
zhangxiliang at cn.fujitsu.com
Tue Jul 22 00:58:52 UTC 2008
LC Bruzenak said the following on 2008-07-21 21:39:
> On Mon, 2008-07-21 at 13:16 +0800, zhangxiliang wrote:
>>> So the file is getting moved to a temp file and then back (is the
>>> prelink doing this?) with the result being that the CAP is erased.
>>>
>>> Not certain what is doing this in my system.
>>> Any clues or instructions on how to narrow the search?
>> Could you supply the audit message which type is "AUDIT_CONFIG_CHANGE" in your result?
>
> [root at hugo ~]# ausearch -i -k AUDIT_CONFIG_CHANGE
> <no matches>
>
sorry, "AUDIT_CONFIG_CHANGE" is a name in code. In result, it names "CONFIG_CHANGE".
Could you supply the audit message which type is "CONFIG_CHANGE" in your result?
> Thank you for the reply, however there was no config change after I
> installed this file.
> The action is happening automatically, since it occurred at 4AM.
> I suspect that the prelink cron job is doing this.
>
> LCB.
>
More information about the Linux-audit
mailing list