audit rule question
LC Bruzenak
lenny at magitekltd.com
Wed May 7 16:16:01 UTC 2008
Q: Manpage says :
"-S [Syscall name or number|all]"
..."You may also specify multiple syscalls in the same rule as a comma
separated list with no spaces in between. Doing so improves performance
since fewer rules need to be evaluated."...
So I'd have thought that this would work:
-a always,exit -F arch=b64 -S adjtimex,settimeofday -k time-change
but only this does:
-a always,exit -F arch=b64 -S adjtimex -S settimeofday -k time-change
Restarting auditd says:
There was an error in line 165 of /etc/audit/audit.rules
Am I misunderstanding this option, or is there a manpage or code error?
audit-1.7.2-6.fc9.x86_64
Thx,
LCB.
--
LC (Lenny) Bruzenak
lenny at magitekltd.com
More information about the Linux-audit
mailing list