auditctl: how do I remove a watch?
Mike Nixon
mnixxon at gmail.com
Tue Nov 9 01:39:30 UTC 2010
This might be a dumb question but why not just manually edit the audit.rules
file using 'vi' or some other text editor instead of using auditctl?
-M.
On Mon, Nov 8, 2010 at 4:20 PM, Steve Grubb <sgrubb at redhat.com> wrote:
> On Monday, November 08, 2010 12:27:47 pm Michael Convey wrote:
> > # auditctl -l
> > LIST_RULES: exit,always watch=/etc/hosts perm=rwa key=hosts-file
> > LIST_RULES: exit,always watch=/etc/resolv.conf perm=wa key=resolv
> > # auditctl -W /etc/hosts
> > Error sending delete rule data request (No such file or directory)
> >
> > What am I doing wrong?
>
> You have to match each field in the rule:
>
> [root ~]# auditctl -w /etc/hosts -p wa -k hosts-file
> [root ~]# auditctl -l
> LIST_RULES: exit,always watch=/etc/hosts perm=wa key=hosts-file
> [root ~]# auditctl -W /etc/hosts -p wa -k hosts-file
> [root ~]# auditctl -l
> No rules
>
>
> -Steve
>
> --
> Linux-audit mailing list
> Linux-audit at redhat.com
> https://www.redhat.com/mailman/listinfo/linux-audit
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/linux-audit/attachments/20101108/9ea300cd/attachment.htm>
More information about the Linux-audit
mailing list