On Wednesday, August 24, 2011 10:40:32 AM Steve Grubb wrote: > So, the rule is: > > -a always,exit -F arch=b64 -S ioctl -F a1=40086602
One correction, you need a 0x in that: -a always,exit -F arch=b64 -S ioctl -F a1=0x40086602 -Steve -- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
