On Thursday 01 February 2007 09:59, Stephen Smalley wrote: > > Assuming current generation of audit code... > > > > auditctl -a exit,always -F perm=w -F obj_type=sbin_t -k executables > > Hmmm...on FC6, that yields an error from auditctl: > key option needs a watch or syscall given prior to it
Ooops, that should be: auditctl -a exit,always -F perm=w -F obj_type=bin_t -F key=executable > Dropping the -k option avoids the error message, but overwriting a bin_t > file doesn't generate any audit message. Similarly, adding a -S open > avoids the error message while retaining the -k, but overwriting a bin_t > file doesn't generate any audit message. Not sure where the problem > lies there. OK, we should look into this. > Also, he mentioned RHEL 4 as his platform, so I would tend to think that > his kernel and auditctl wouldn't support this anyway. If so, it won't. > So he may be limited to using auditallow statements in policy, which is > certainly legitimate use of them (although I understand your goal of > centralizing audit configuration). Well, not just centralizing configuration, but that its actually fit for its purpose. :) -Steve -- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
