For
Directory Rules:
[root ~]# auditctl -l
LIST_RULES: exit,always watch=/etc/hosts perm=rwa key=hosts-file
LIST_RULES: exit,always watch=/etc/resolv.conf perm=wa key=resolv
[root ~]# auditctl -W /etc/hosts
Error sending delete rule data request (No such file or directory)
What am I doing wrong?
You have to match each field in the rule:
[root ~]# auditctl -w /etc/hosts -p wa -k hosts-file
[root ~]# auditctl -l
LIST_RULES: exit,always watch=/etc/hosts perm=wa key=hosts-file
[root ~]# auditctl -W /etc/hosts -p wa -k hosts-file
[root ~]# auditctl -l
No rules
LIST_RULES: exit,always watch=/etc/hosts perm=rwa key=hosts-file
LIST_RULES: exit,always watch=/etc/resolv.conf perm=wa key=resolv
[root ~]# auditctl -W /etc/hosts
Error sending delete rule data request (No such file or directory)
What am I doing wrong?
You have to match each field in the rule:
[root ~]# auditctl -w /etc/hosts -p wa -k hosts-file
[root ~]# auditctl -l
LIST_RULES: exit,always watch=/etc/hosts perm=wa key=hosts-file
[root ~]# auditctl -W /etc/hosts -p wa -k hosts-file
[root ~]# auditctl -l
No rules
[root@dbsc audit]# auditctl -l
LIST_RULES: exit,always watch=/etc/passwd
perm=wa key=passwd_changes
LIST_RULES: exit,always watch=/etc/group perm=wa
key=group_changes
LIST_RULES: exit,always watch=/etc/sudoers
perm=wa key=sudoers_changes
LIST_RULES: exit,always
dir=/u01/oracle/audit_backup (0x18) perm=rwa key=secret_backup
[root@dbsc audit]# ls
auditd.conf
audit.rules
[root@dbsc audit]# auditctl -l
LIST_RULES: exit,always watch=/etc/passwd
perm=wa key=passwd_changes
LIST_RULES: exit,always watch=/etc/group perm=wa
key=group_changes
LIST_RULES: exit,always watch=/etc/sudoers
perm=wa key=sudoers_changes
LIST_RULES: exit,always
dir=/u01/oracle/audit_backup (0x18) perm=rwa key=secret_backup
[root@dbsc audit]# auditctl -D
No rules
[root@dbsc audit]# auditctl -l
No rules
No comments:
Post a Comment