---------- Forwarded message ---------- From: 4javier <[email protected]> Date: 2011/6/2 Subject: Re: Possible regression To: Steve Grubb <[email protected]>
root@Archbox /home/javier $ touch /tmp/test root@Archbox /home/javier $ cat /tmp/test root@Archbox /home/javier $ auditctl -w /tmp/test -p wa root@Archbox /home/javier $ echo ppp >> /tmp/test root@Archbox /home/javier $ cat /tmp/test ppp root@Archbox /home/javier $ ausearch -i -f /tmp/test <no matches> root@Archbox /home/javier $ auditctl -l LIST_RULES: exit,always watch=/tmp/test perm=wa root@Archbox /home/javier $ echo ppp > /tmp/test root@Archbox /home/javier $ ausearch -i -f /tmp/test <no matches> root@Archbox /home/javier $ ausearch -f /tmp/test <no matches> As you can see from auditcrl -l output, rule seems to be correctly set, but ausearch doesn't show anything. 2011/6/2 Steve Grubb <[email protected]> > On Thursday, June 02, 2011 09:45:38 AM you wrote: > > you're right...sorry for my fault... > > I didn't use the -a switch. I read the man, but I cannot understand how > > this settings is able to fix the problem with O_CREAT. > > Could you explain that to me, please? > > As far as I know, the problem was fixed in 2006 and there has been no > regression. The - > w command is translated into -a always,exit -F path= under the hood. Its > been this way > since watches were deprecated around 2005/2006. > > How were you testing? You might have found a bug and I just don't know how > to > reproduce it. > > -Steve >
-- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
