Quoting Steve G linux_4ever@yahoo.com:
This is all in work. The 0.7.4 audit package has some information about setting file watches (auditctl -w -p ). However, you need to have a kernel that's patched for it. We are still peer reviewing this capability. I think we have just a few more locking issues to solve and then it will be sent to lkml. I have put the tools into FC4 so that when the file system auditing patch does go upstream & you do a kernel update, everything starts working.
Sounds like great news.
I take it that even if I fire up auditd on RHEL4 today, and attempt to play with auditctl, it isn't going to work until there is updated kernel (or I patch/recompile existing kernel)?
---------------------------------------------------------------- This message was sent using IMP, the Internet Messaging Program.