* auditctl: how do I remove a watch?
@ 2010-11-08 17:27 Michael Convey
2010-11-08 21:20 ` Steve Grubb
0 siblings, 1 reply; 5+ messages in thread
From: Michael Convey @ 2010-11-08 17:27 UTC (permalink / raw)
To: linux-audit
[-- Attachment #1.1: Type: text/plain, Size: 425 bytes --]
Per the man page, to remove a watch, do the following:
-W path
Remove a watch for the file system object at path.
However, I get the following:
# auditctl -l
LIST_RULES: exit,always watch=/etc/hosts perm=rwa key=hosts-file
LIST_RULES: exit,always watch=/etc/resolv.conf perm=wa key=resolv
# auditctl -W /etc/hosts
Error sending delete rule data request (No such file or directory)
What am I doing wrong?
[-- Attachment #1.2: Type: text/html, Size: 558 bytes --]
[-- Attachment #2: Type: text/plain, Size: 0 bytes --]
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: auditctl: how do I remove a watch?
2010-11-08 17:27 auditctl: how do I remove a watch? Michael Convey
@ 2010-11-08 21:20 ` Steve Grubb
2010-11-08 21:50 ` Michael Convey
2010-11-09 1:39 ` Mike Nixon
0 siblings, 2 replies; 5+ messages in thread
From: Steve Grubb @ 2010-11-08 21:20 UTC (permalink / raw)
To: linux-audit
On Monday, November 08, 2010 12:27:47 pm Michael Convey wrote:
> # auditctl -l
> LIST_RULES: exit,always watch=/etc/hosts perm=rwa key=hosts-file
> LIST_RULES: exit,always watch=/etc/resolv.conf perm=wa key=resolv
> # auditctl -W /etc/hosts
> Error sending delete rule data request (No such file or directory)
>
> What am I doing wrong?
You have to match each field in the rule:
[root ~]# auditctl -w /etc/hosts -p wa -k hosts-file
[root ~]# auditctl -l
LIST_RULES: exit,always watch=/etc/hosts perm=wa key=hosts-file
[root ~]# auditctl -W /etc/hosts -p wa -k hosts-file
[root ~]# auditctl -l
No rules
-Steve
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: auditctl: how do I remove a watch?
2010-11-08 21:20 ` Steve Grubb
@ 2010-11-08 21:50 ` Michael Convey
2010-11-09 1:39 ` Mike Nixon
1 sibling, 0 replies; 5+ messages in thread
From: Michael Convey @ 2010-11-08 21:50 UTC (permalink / raw)
To: Steve Grubb; +Cc: linux-audit
[-- Attachment #1.1: Type: text/plain, Size: 896 bytes --]
On Mon, Nov 8, 2010 at 1:20 PM, Steve Grubb <sgrubb@redhat.com> wrote:
> On Monday, November 08, 2010 12:27:47 pm Michael Convey wrote:
> > # auditctl -l
> > LIST_RULES: exit,always watch=/etc/hosts perm=rwa key=hosts-file
> > LIST_RULES: exit,always watch=/etc/resolv.conf perm=wa key=resolv
> > # auditctl -W /etc/hosts
> > Error sending delete rule data request (No such file or directory)
> >
> > What am I doing wrong?
>
> You have to match each field in the rule:
>
> [root ~]# auditctl -w /etc/hosts -p wa -k hosts-file
> [root ~]# auditctl -l
> LIST_RULES: exit,always watch=/etc/hosts perm=wa key=hosts-file
> [root ~]# auditctl -W /etc/hosts -p wa -k hosts-file
> [root ~]# auditctl -l
> No rules
>
>
> -Steve
>
Worked perfectly, thanks!!
Perhaps someone could update the man page to make this more clear. The man
page indicates "-W" and "path" are the only arguments needed.
Mike
[-- Attachment #1.2: Type: text/html, Size: 1331 bytes --]
[-- Attachment #2: Type: text/plain, Size: 0 bytes --]
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: auditctl: how do I remove a watch?
2010-11-08 21:20 ` Steve Grubb
2010-11-08 21:50 ` Michael Convey
@ 2010-11-09 1:39 ` Mike Nixon
2010-11-09 2:27 ` Steve Grubb
1 sibling, 1 reply; 5+ messages in thread
From: Mike Nixon @ 2010-11-09 1:39 UTC (permalink / raw)
To: Steve Grubb; +Cc: linux-audit
[-- Attachment #1.1: Type: text/plain, Size: 988 bytes --]
This might be a dumb question but why not just manually edit the audit.rules
file using 'vi' or some other text editor instead of using auditctl?
-M.
On Mon, Nov 8, 2010 at 4:20 PM, Steve Grubb <sgrubb@redhat.com> wrote:
> On Monday, November 08, 2010 12:27:47 pm Michael Convey wrote:
> > # auditctl -l
> > LIST_RULES: exit,always watch=/etc/hosts perm=rwa key=hosts-file
> > LIST_RULES: exit,always watch=/etc/resolv.conf perm=wa key=resolv
> > # auditctl -W /etc/hosts
> > Error sending delete rule data request (No such file or directory)
> >
> > What am I doing wrong?
>
> You have to match each field in the rule:
>
> [root ~]# auditctl -w /etc/hosts -p wa -k hosts-file
> [root ~]# auditctl -l
> LIST_RULES: exit,always watch=/etc/hosts perm=wa key=hosts-file
> [root ~]# auditctl -W /etc/hosts -p wa -k hosts-file
> [root ~]# auditctl -l
> No rules
>
>
> -Steve
>
> --
> Linux-audit mailing list
> Linux-audit@redhat.com
> https://www.redhat.com/mailman/listinfo/linux-audit
>
[-- Attachment #1.2: Type: text/html, Size: 1507 bytes --]
[-- Attachment #2: Type: text/plain, Size: 0 bytes --]
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: auditctl: how do I remove a watch?
2010-11-09 1:39 ` Mike Nixon
@ 2010-11-09 2:27 ` Steve Grubb
0 siblings, 0 replies; 5+ messages in thread
From: Steve Grubb @ 2010-11-09 2:27 UTC (permalink / raw)
To: Mike Nixon; +Cc: linux-audit
On Monday, November 08, 2010 08:39:30 pm Mike Nixon wrote:
> This might be a dumb question but why not just manually edit the
> audit.rules file using 'vi' or some other text editor instead of using
> auditctl?
For permanent changes, I think that is what you want to do. But there may be times
when you are short on disk space and want to pull one, or maybe you were experimenting
and now you want to remove what you put in. :)
But this reminds me that we should have some capability to compare the rules file with
what's in the kernel.
-Steve
^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2010-11-09 2:27 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2010-11-08 17:27 auditctl: how do I remove a watch? Michael Convey
2010-11-08 21:20 ` Steve Grubb
2010-11-08 21:50 ` Michael Convey
2010-11-09 1:39 ` Mike Nixon
2010-11-09 2:27 ` Steve Grubb
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.