"Watch"ing a directory
Steve Grubb
sgrubb at redhat.com
Wed Aug 22 16:03:41 UTC 2007
On Wednesday 22 August 2007 11:40:00 Pete Briggs wrote:
> Once I tried something like touching a file, this worked as advertised,
> I'm using kernel:
>
> 2.6.21-1.3194.fc7
>
> on Fedora 7
Fedora 7 does not have the subtree auditing patch in it yet. This means that
if you place a watch on a directory, it is watching the inode of the
directory entries. So, this will work for 1 level.
IOW a watch on /etc will let you see a change to /etc/passwd, but you will not
see a change to /etc/ssh/ssh_config because its 2 levels down.
-Steve
More information about the Linux-audit
mailing list