On Fri, 2016-12-30 at 09:58 -0800, Rick Stevens wrote: > On 12/30/2016 06:55 AM, Patrick O'Callaghan wrote: > > On Thu, 2016-12-29 at 16:04 -0800, Rick Stevens wrote: > > > > I think you're right, though it requires a close reading of the man > > > > page to understand this. Anyway I've enabled it in the audit rules and > > > > so far it seems to work. > > > > > > Huzzah! Hope that's "the magic bullet" for you. > > > > Unfortunately it's still doing it. > > Wild idea...try deleting the rule, then re-adding it specifying "-A" > instead of "-a" (put it at the top of the rule list rather than the > end). Perhaps an earlier rule is generating the entry before this new > rule is invoked. No, makes no difference. I'm testing by using auditctl directly rather than editing the rules files but that's supposed to be the same (barring reboots of course). poc _______________________________________________ users mailing list -- users@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to users-leave@xxxxxxxxxxxxxxxxxxxxxxx
