From mboxrd@z Thu Jan 1 00:00:00 1970 From: LC Bruzenak Subject: Re: file watch result help Date: Mon, 21 Jul 2008 08:39:14 -0500 Message-ID: <1216647554.8213.32.camel@homeserver> References: <1216612916.8213.23.camel@homeserver> <48841BB5.6080904@cn.fujitsu.com> Mime-Version: 1.0 Content-Type: text/plain Content-Transfer-Encoding: 7bit Return-path: Received: from mx3.redhat.com (mx3.redhat.com [172.16.48.32]) by int-mx1.corp.redhat.com (8.13.1/8.13.1) with ESMTP id m6LDdgu1011620 for ; Mon, 21 Jul 2008 09:39:42 -0400 Received: from magi (rrcs-24-242-137-197.sw.biz.rr.com [24.242.137.197]) by mx3.redhat.com (8.13.8/8.13.8) with ESMTP id m6LDdUxb023723 for ; Mon, 21 Jul 2008 09:39:30 -0400 In-Reply-To: <48841BB5.6080904@cn.fujitsu.com> List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: zhangxiliang Cc: Linux Audit List-Id: linux-audit@redhat.com On Mon, 2008-07-21 at 13:16 +0800, zhangxiliang wrote: > > > > So the file is getting moved to a temp file and then back (is the > > prelink doing this?) with the result being that the CAP is erased. > > > > Not certain what is doing this in my system. > > Any clues or instructions on how to narrow the search? > > Could you supply the audit message which type is "AUDIT_CONFIG_CHANGE" in your result? [root@hugo ~]# ausearch -i -k AUDIT_CONFIG_CHANGE Thank you for the reply, however there was no config change after I installed this file. The action is happening automatically, since it occurred at 4AM. I suspect that the prelink cron job is doing this. LCB. -- LC (Lenny) Bruzenak lenny@magitekltd.com