On Wed, Mar 6, 2019 at 8:16 PM Li RongQing wrote:
>
> module.name will be allocated unconditionally when auditing load
> module, and audit_log_start() can fail with other reasons, or
> audit_log_exit maybe not called, caused module.name is not freed
>
> so free module.name in audit_free_context an
Audit will tell you when a "write" change occurs. Auditd has a plugin
framework to let you write a custom code which consumes audit events.
You can use that to orchestrate a file copy to save the file.
Something like:
https://github.com/karmab/audisp-simple
Farhan
On Wed, Mar 6, 2019 at 2:57 PM
Emit an audit record every time selected NTP parameters are modified
from userspace (via adjtimex(2) or clock_adjtime(2)).
Such events will now generate records of type AUDIT_TIME_ADJNTPVAL
containing the following fields:
- op -- which value was adjusted:
- offset -- corresponding to the ti
This patchset implements auditing of (syscall-triggered) changes that
can modify or indirectly affect the system clock. Some of these
changes can already be detected by simply logging relevant syscalls,
but this has some disadvantages:
a) It is usually not possible to find out from the syscall re
Emit an audit record whenever the system clock is changed (i.e. shifted
by a non-zero offset) by a syscall from userspace. The syscalls than can
(at the time of writing) trigger such record are:
- settimeofday(2), stime(2), clock_settime(2) -- via
do_settimeofday64()
- adjtimex(2), clock_ad
