File watch on group
Steve Grubb
sgrubb at redhat.com
Wed Jul 18 23:30:48 UTC 2007
On Wednesday 18 July 2007 05:46:40 pm Ameel Kamboh wrote:
> I would like to put a watch on a file for rwxa for a
> File being accessed by someone who is not in the same group as the file.
>
> Can this be done using an audit rule?
On RHEL5 or 2.6.19 or higher:
auditctl -a exit,always -S all -F perm=rwxa -F gid!=root
-F path=/etc/localtime -k gid-rule
and to see results:
ausearch --start today -k gid-rule
The only limitation is that you need to know the group beforehand.
-Steve
More information about the Linux-audit
mailing list