On Wed, Sep 27, 2006 at 05:46:52PM -0400, Linda Knippers wrote: > Debora Velarde wrote: > > # auditctl -a exit,always -S open -F inode=4 > > # auditctl -l > > LIST_RULES: exit,always inode=4 (0x4) syscall=open > > I wonder what this is actually doing. An inode number without > a file system isn't very interesting. Should this rule even > be accepted?
Well, probably this is telling the audit system to audit access to all inodes with the number 4 on any filesystem, and if that's not what you want you need to be more specific... Given the Unix philosophy of allowing admins to shoot themselves in the foot, would a warning be appropriate? -Klaus -- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
