On Tuesday 06 April 2010 05:13:49 am Juraj Hlista wrote: > The patches were denied, because it can be implemented without > touching the kernel (in the audit plugin, which I'm working on now)
Yes. It should be possible to set a list of parameters to match against and then run auditctl when a match is found. Auditctl can delete by key, so if you have a set of rules for a specific reaction, then you can add a key to the rules. Then if another rules is matched that would want to delete the rules, you can do that. For example, mount might require adding rules, unmount would probably delete any watches, but you can make sure everything is gone with a second match. Same thing with logon/logoff of a specific user. -Steve -- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
