Am 23. Mai 2017 14:51:29 MESZ schrieb Steve Grubb <[email protected]>: >Hello, > >On Tue, 23 May 2017 11:05:18 +0200 >Klaus Lichtenwalder <[email protected]> wrote: >> Am 19. Mai 2017 23:41:58 MESZ schrieb Stephen Buchanan >> <[email protected]>: >> >Agree with Steve's suggestion re: "-S all". Also might help if you >> >sort >> >> I now know where -S all stems from... Some watches add a -S all by >> themselves... Probably created an audit.rules file by textually >> working from there and duplicating rules > >What is the source of your rules listed? Is it coming from auditctl -l >or from /etc/audit/audit.rules? There were a couple releases of >auditctl where I think -S all may have been added but if I remember it >was fixed a few releases later. The rules that come from disk would be >more accurate. >
Well, they came from auditctl -l System in question is RHEL6.8, can't tell actual package version right now, as I'm on the road... But thanks, will keep in mind to stick to the files... Klaus -- Mit K9 vom Telefon gesendet. Tippfehler und komische Worte darf der Empfänger behalten -- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
