> All records must have auid. That is part of the requirements besides date, > time, what happened, and what was the results.
When the watched file is deleted or renamed, the log will be made. You can get the result by following steps: 1. # service auditd start 2. # touch temp_file 3. # auditctl -w `pwd`/temp_file -k temp_file 4. # rm -f temp_file /var/log/audit/audit.log will contain: node=RHEL5.2GA type=CONFIG_CHANGE msg=audit(1217551948.386:97101): op=updated rules specifying path="/home/pht/temp_file" with dev=4294967295 ino=4294967295 list=0 res=1 > If that record is missing > auid, we need to patch the kernel. > > -Steve > > -- Regards Peng Haitao -------------------------------------------------- Peng Haitao Development Dept.I Nanjing Fujitsu Nanda Software Tech. Co., Ltd.(FNST) 8/F., Civil Defense Building, No.189 Guangzhou Road, Nanjing, 210029, China TEL: +86+25-86630566-837 FUJITSU INTERNAL: 79955-837 FAX: +86+25-83317685 EMail: [EMAIL PROTECTED] -------------------------------------------------- This communication is for use by the intended recipient(s) only and may contain information that is privileged, confidential and exempt from disclosure under applicable law. If you are not an intended recipient of this communication, you are hereby notified that any dissemination, distribution or copying hereof is strictly prohibited. If you have received this communication in error, please notify me by reply e-mail, permanently delete this communication from your system, and destroy any hard copies you may have printed -- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
