proposed interface changes for filesystem audit
Timothy R. Chavez
tinytim at us.ibm.com
Wed Nov 2 22:49:44 UTC 2005
On Wednesday 02 November 2005 15:22, Steve Grubb wrote:
> On Wednesday 02 November 2005 16:10, Amy Griffis wrote:
> > auditctl -a exit,always -S all -F path=/home/watchme
>
> Thanks. That helps clarify it for me.
>
> > These two rules would be functionally equivalent, but the first is
> > more convenient:
> >
> > auditctl -a exit,always -S fs-remove -F path=/home/watchme
> > auditctl -a exit,always -S rename -S rmdir -S unlink -F path=/home/watchme
>
> Does your patch change the kernel to accept multiple syscalls in an audit
> rule? Currently, we have 1 syscall per rule.
>
> -Steve
>
What does this do then?
[root at liltux audit-2.6]# auditctl -a exit,always -S exit -S open -F uid=0
[root at liltux audit-2.6]# auditctl -l
AUDIT_LIST: exit,always uid=0 syscall=exit,open
-tim
More information about the Linux-audit
mailing list