From mboxrd@z Thu Jan  1 00:00:00 1970
From: Steve Grubb <sgrubb@redhat.com>
Subject: Re: auditctl: how do I remove a watch?
Date: Mon, 8 Nov 2010 21:27:33 -0500
Message-ID: <201011082127.33830.sgrubb@redhat.com>
References: <AANLkTikN28ns0TvxTM9y7RnmFR0eaz+AGKeQ=MKzkxCS@mail.gmail.com>
	<201011081620.22180.sgrubb@redhat.com>
	<AANLkTi=XJjEz-5wzGdCwcryzO_+o-dXZB91jR0tc0-2e@mail.gmail.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Return-path: <linux-audit-bounces@redhat.com>
In-Reply-To: <AANLkTi=XJjEz-5wzGdCwcryzO_+o-dXZB91jR0tc0-2e@mail.gmail.com>
List-Unsubscribe: <https://www.redhat.com/mailman/options/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/linux-audit>
List-Post: <mailto:linux-audit@redhat.com>
List-Help: <mailto:linux-audit-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=subscribe>
Sender: linux-audit-bounces@redhat.com
Errors-To: linux-audit-bounces@redhat.com
To: Mike Nixon <mnixxon@gmail.com>
Cc: linux-audit@redhat.com
List-Id: linux-audit@redhat.com

On Monday, November 08, 2010 08:39:30 pm Mike Nixon wrote:
> This might be a dumb question but why not just manually edit the
> audit.rules file using 'vi' or some other text editor instead of using
> auditctl?

For permanent changes, I think that is what you want to do. But there may be times 
when you are short on disk space and want to pull one, or maybe you were experimenting 
and now you want to remove what you put in. :)

But this reminds me that we should have some capability to compare the rules file with 
what's in the kernel.

-Steve