On Tuesday 29 July 2008 21:06:45 Peng Haitao wrote: > When the watched file is deleted or renamed, the log will be made. > You can get the result by following steps: > > 1. # service auditd start > 2. # touch temp_file > 3. # auditctl -w `pwd`/temp_file -k temp_file > 4. # rm -f temp_file > > /var/log/audit/audit.log will contain: > node=RHEL5.2GA type=CONFIG_CHANGE msg=audit(1217551948.386:97101): > op=updated rules specifying path="/home/pht/temp_file" with dev=4294967295 > ino=4294967295 list=0 res=1
I am applying a patch that will allow parsing for missing auid fields in CONFIG_CHANGE records. I think that is the only loose end to tie up on this bug report. -Steve -- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
