audit.rules umount problem
Mr. Paul M. Whitney
paul.whitney at me.com
Sun Jan 9 15:18:34 UTC 2011
I am trying to add rules that audit umount/umount2. My entries are:
<from audit.rules>
-a always,exit -F arch=b32 -S umount -F auid>=500 -F auid!=4294967295 -k umount
# This line with 64 generates and error in the rules.
-a always,exit -F arch=b64 -S umount -F auid>=500 -F auid!=4294967295 -k umount
# These next two appear to be ok
-a always,exit -F arch=b32 -S umount2 -F auid>=500 -F auid!=4294967295 -k umount
-a always,exit -F arch=b64 -S umount2 -F auid>=500 -F auid!=4294967295 -k umount
< end audit.rules>
Can some please tell me why this line is generating and error and possibly a solution?
Thank you,
Paul
More information about the redhat-list
mailing list