On Fri, 2006-07-07 at 10:58 -0400, Steve wrote: > I have found that I can modify files that are being watched and audit > not catch it (ie. no events are dispatched). When monitoring a file for > all system calls, I can: > > echo "" > /file/to/watch > > or > > cat some_file > /file/to/watch > > without generating audit events. I assume this has to do with how the > kernel handles re-direction. Is it possible to catch these modifications? > > Thanks, > Steve
What are your rules? You should catch these on open() of /file/to/watch, right? -tim -- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
