On Wednesday 17 May 2006 17:12, Michael C Thompson wrote: > > Please let me know if there are any problems with this release. > > auditctl -a entry,always -S chmod -F "watch=/root/file" > > This fails... how is one supposed to use the new 'watch' field filter?
This was already reported on SE Linux mail list last week. The short answer is that policy needs to be adjusted to make this work. I don't know if the changes have been rolled out yet. Just as a test, try "setenforce 0" and then load the audit rule. -Steve -- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
