On Wednesday 06 August 2008 03:27:00 Chu Li wrote: > And I found another problem, when using "-a 'list','action' -w /mnt", it > will always add the rule "LIST_RULES: exit,always dir=/mnt (0x4) perm=rwxa". > I found "-w" will use the "exit" list automatically. I think it's better to > add something about it in manual.
There are 2 forms of audit rules, the syscall syntax (-a) and the watch syntax (-w). They cannot be mixed. When -w is given, only -p and -k are valid. When -a is given, -w is invalid. The -w notation is primarily for backwards compatibility with RHEL4. In it you do not give a list. When writing watches in RHEL5 and later, you can now use syscall notation like this: -a always,exit -F perm=wa -F path=/etc/shadow Note that -S is not given. The kernel selects the syscalls based on the perm field. Hope this helps. -Steve -- Linux-audit mailing list Linux-audit@redhat.com https://www.redhat.com/mailman/listinfo/linux-audit