On Thursday 01 February 2007 09:59:00 Stephen Smalley wrote: > > Assuming current generation of audit code... > > > > auditctl -a exit,always -F perm=w -F obj_type=sbin_t -k executables > > Hmmm...on FC6, that yields an error from auditctl: > key option needs a watch or syscall given prior to it > > Dropping the -k option avoids the error message, but overwriting a bin_t > file doesn't generate any audit message.
This turned out to be a bug in libaudit which was fixed in 1.4.1. It should work as I stated above when you upgrade. If not, let me know... -Steve -- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
