Q: Manpage says : "-S [Syscall name or number|all]" ..."You may also specify multiple syscalls in the same rule as a comma separated list with no spaces in between. Doing so improves performance since fewer rules need to be evaluated."...
So I'd have thought that this would work: -a always,exit -F arch=b64 -S adjtimex,settimeofday -k time-change but only this does: -a always,exit -F arch=b64 -S adjtimex -S settimeofday -k time-change Restarting auditd says: There was an error in line 165 of /etc/audit/audit.rules Am I misunderstanding this option, or is there a manpage or code error? audit-1.7.2-6.fc9.x86_64 Thx, LCB. -- LC (Lenny) Bruzenak [EMAIL PROTECTED] -- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
