On 10/07/2014 01:26 PM, William Roberts wrote: > is audit_n_rules the number or rules in the rule table? I ask, so if > the example audit.rules posted in the auditd directory is loaded, then > it > should have set audit_n_rules to something like 4. audit_enabled > shoudl be 1, so we shoudl end up getting the syscall records in a > similiar > fashion to the kernel patch that hardcodes it? I ask because desktop > world has -s support in audit.rules.
Yes, I believe that is correct. Use of -S (syscall filter) or -w (file watch) should increment the number of rules, which should turn on the machinery for collecting pathnames for later use by audit during pathname lookup. _______________________________________________ Seandroid-list mailing list [email protected] To unsubscribe, send email to [email protected]. To get help, send an email containing "help" to [email protected].
