From mboxrd@z Thu Jan 1 00:00:00 1970 From: zhangxiliang Subject: Re: file watch result help Date: Tue, 22 Jul 2008 08:58:52 +0800 Message-ID: <488530CC.5090605@cn.fujitsu.com> References: <1216612916.8213.23.camel@homeserver> <48841BB5.6080904@cn.fujitsu.com> <1216647554.8213.32.camel@homeserver> Mime-Version: 1.0 Content-Type: text/plain; charset=gb18030 Content-Transfer-Encoding: 7bit Return-path: Received: from mx3.redhat.com (mx3.redhat.com [172.16.48.32]) by int-mx1.corp.redhat.com (8.13.1/8.13.1) with ESMTP id m6M11Edg004189 for ; Mon, 21 Jul 2008 21:01:14 -0400 Received: from song.cn.fujitsu.com (cn.fujitsu.com [222.73.24.84] (may be forged)) by mx3.redhat.com (8.13.8/8.13.8) with ESMTP id m6M113et028103 for ; Mon, 21 Jul 2008 21:01:04 -0400 In-Reply-To: <1216647554.8213.32.camel@homeserver> List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: LC Bruzenak Cc: Linux Audit List-Id: linux-audit@redhat.com LC Bruzenak said the following on 2008-07-21 21:39: > On Mon, 2008-07-21 at 13:16 +0800, zhangxiliang wrote: >>> So the file is getting moved to a temp file and then back (is the >>> prelink doing this?) with the result being that the CAP is erased. >>> >>> Not certain what is doing this in my system. >>> Any clues or instructions on how to narrow the search? >> Could you supply the audit message which type is "AUDIT_CONFIG_CHANGE" in your result? > > [root@hugo ~]# ausearch -i -k AUDIT_CONFIG_CHANGE > > sorry, "AUDIT_CONFIG_CHANGE" is a name in code. In result, it names "CONFIG_CHANGE". Could you supply the audit message which type is "CONFIG_CHANGE" in your result? > Thank you for the reply, however there was no config change after I > installed this file. > The action is happening automatically, since it occurred at 4AM. > I suspect that the prelink cron job is doing this. > > LCB. >