[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: Format for multiple syscalss in a rule



On Tuesday 28 March 2006 13:15, Mont Rothstein wrote:
> Could someone please enlighten me?  I am trying to audit all access to
> files (read, write, remove).  I believe all I need to do is audit open,
> write, and rmdir in a single rule.  I just can't figure out how to format
> it.

This is in the latest capp.rules file. To find the file:
[~]$ rpm -ql audit | grep capp
/usr/share/doc/audit-1.0.14/capp.rules

in it:

## File content modification. Permissions are checked at open time,
## monitoring individual read/write calls is not useful.
-a entry,possible -S creat -S open -S truncate -S truncate64 -S ftruncate -S ftruncate64

## directory operations
-a entry,possible -S mkdir -S rmdir

## moving, removing, and linking
-a entry,possible -S unlink -S rename -S link -S symlink

I recommend combining rules where possible since this improves
the overall performance...it has fewer rules to iterate through.

-Steve


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]