This might be a dumb question but why not just manually edit the audit.rules file using 'vi' or some other text editor instead of using auditctl?
-M. On Mon, Nov 8, 2010 at 4:20 PM, Steve Grubb <[email protected]> wrote: > On Monday, November 08, 2010 12:27:47 pm Michael Convey wrote: > > # auditctl -l > > LIST_RULES: exit,always watch=/etc/hosts perm=rwa key=hosts-file > > LIST_RULES: exit,always watch=/etc/resolv.conf perm=wa key=resolv > > # auditctl -W /etc/hosts > > Error sending delete rule data request (No such file or directory) > > > > What am I doing wrong? > > You have to match each field in the rule: > > [root ~]# auditctl -w /etc/hosts -p wa -k hosts-file > [root ~]# auditctl -l > LIST_RULES: exit,always watch=/etc/hosts perm=wa key=hosts-file > [root ~]# auditctl -W /etc/hosts -p wa -k hosts-file > [root ~]# auditctl -l > No rules > > > -Steve > > -- > Linux-audit mailing list > [email protected] > https://www.redhat.com/mailman/listinfo/linux-audit >
-- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
