auditctl rule to monitor dir only (not all sub dir and files etc..)
Stefano Schiavi
stefanoschiavi00 at gmail.com
Thu Sep 26 18:58:45 UTC 2013
Thank you so much Steve!
Do you know how to set this up via "auditctl" ?
I was not able to find a way looking at:
[~]# auditctl -help
Otherwise where would I edit the rule? (it's not in the .rules file, but
it is displayed if I auditctl -l)
Thank you so much
Stefano
On 09/26/2013 08:25 PM, Steve Grubb wrote:
> On Thursday, September 26, 2013 05:36:45 PM Stefano Schiavi wrote:
>> I am trying to use auditd to monitor changes to a directory. The problem
>> is that when I setup a rule it does monitor the dir I specified but also
>> all the sub dir and files making the monitor useless due to endless
>> verbosity.
>>
>> Here is the rule I setup:
>> |auditctl-w/home/raven/public_html-p war-k raven-pubhtmlwatch|
> A watch is really a syscall rule in disguise. If you place a watch on a
> directory, auditctl will turn it into:
>
> -a exit,always -F dir=/home/raven/public_html -F perm=war -F key=raven-pubhtmlwatch
>
> The -F dir field is recursive. However, if you just want to watch the directory
> entries, you can change that to -F path.
>
> -a exit,always -F path=/home/raven/public_html -F perm=war -F key=raven-pubhtmlwatch
>
> This is not recursive and just watches the inode that the directory occupies.
>
> -Steve
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/linux-audit/attachments/20130926/04b9515c/attachment.htm>
More information about the Linux-audit
mailing list