RHEL 4, Auditing
List Quest
listquest at gmail.com
Tue Jul 20 12:53:43 UTC 2010
Hi;
Ok. For example watch /root directory and subdirectories:
I can only -> Scan /root directory recursive(find /root/ -type d); and add
to audit.rules file all result lines.
This technic true?
Best Regards
On Tue, Jul 20, 2010 at 3:24 PM, Steve Grubb <sgrubb at redhat.com> wrote:
> On Tuesday, July 20, 2010 08:04:02 am List Quest wrote:
> > I trying RHEL 4.x series auditing.
> >
> > Example:
> > Audit version: audit-1.0.15-3.EL4
> >
> > -w /root -p w
> >
> > config line added to audit.rules; but this config watch only "/root"
> > directory writes. Do not watch "/root/Desktop", "/root/test", etc...
> >
> > I can't recusive directory watch; like audit version audit-1.7.17-3
> >
> > How this?
>
> That is correct. The first iteration of the audit system has some
> limitations
> that were fixed over time. For example, another thing you cannot do on the
> older kernels is add a key to syscall rules.
>
> -Steve
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/linux-audit/attachments/20100720/dd8b4ae5/attachment.htm>
More information about the Linux-audit
mailing list