On Tue, 2006-06-27 at 17:21 -0400, Steve Grubb wrote: > On Tuesday 27 June 2006 17:15, Amy Griffis wrote: > > If you would like to see a record in this case, you must add a watch > > for /var/log/audit. > > I don't see a record watching this either. > > -Steve
Maybe because you're executing in the system-call attempting the access of audit.log and it's in this context the permissions to do so are checked. Been awhile, but looking at fs/open.c:do_sys_open, should there be an fsnotify_open() hook in the error path as well? -tim -- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
