[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: Audit with path exception rule



On Monday 23 July 2007 11:25:22 am Ameel Kamboh wrote:
> I would like to audit the file system for anyone creating new files
> However I would like to exclude a directory from the watch list.
>
> Here is the sample I have:
>
> #3.     create/Remove any files
> -a exit,always -S creat  -F path!=/var/myApp   <--- line 21
> -a exit,always -S unlink -F path!=/var/myApp

I was hoping one of the kernel people was going to jump in with an answer 
here. I have a feeling that the kernel doesn't allow it. I think it would be 
trivial to patch the kernel to allow this and we should. The rule you are 
trying to express seems reasonable to me.

-Steve


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]