On 09/06/2013 03:50 PM, Joshua Brindle wrote: > Add libaudit support for adding directory watch rules. > > Add rule parsing support to auditd. > > Rule format matches auditctl. Currently only supports -w and -e. > > Change-Id: I8bdaea1b5e2a216eec79cd8c9dae583de8295d26 > > Signed-off-by: Joshua Brindle <[email protected]>
Maybe a bug in user, but I did this: - applied patch and rebuilt, - reflashed and booted, - created a /data/misc/audit/audit.rules file that contained: -w /data/system -p wa - adb reboot - adb logcat > logcat.txt - adb shell su 0 cat /proc/kmsg > dmesg.txt logcat.txt showed: --------- beginning of /dev/log/system I/auditd ( 119): Starting up I/audit_log( 119): Previous audit logfile detected, rotating E/audit_rules( 119): -w /data/system -p wa And then nothing else from auditd. /data/misc/audit/audit.log has no entries other than the usual: type=2000 msg=audit(0.710:1): initialized type=1403 msg=audit(1378733645.695:2): policy loaded auid=4294967295 ses=4294967295 type=1404 msg=audit(1378733645.695:3): enforcing=1 old_enforcing=0 auid=4294967295 ses=4294967295 type=1403 msg=audit(1378733647.665:4): policy loaded auid=4294967295 ses=4294967295 type=1404 msg=audit(1378733830.500:5): enforcing=0 old_enforcing=1 auid=4294967295 ses=4294967295 Creating and deleting files under /data/system appears to do nothing. What did I miss? -- This message was distributed to subscribers of the seandroid-list mailing list. If you no longer wish to subscribe, send mail to [email protected] with the words "unsubscribe seandroid-list" without quotes as the message.
