What's the difference between -F dir=XX and -w?
Steve Grubb
sgrubb at redhat.com
Fri Jan 3 14:18:07 UTC 2014
On Fri, 3 Jan 2014 14:30:58 +0800
Aaron Lewis <the.warl0ck.1989 at gmail.com> wrote:
> What's the difference between -F dir=XX and -w?
>
> -a exit,always -F arch=b64 -S open -F success=1 -F dir=/secure
>
> versus
>
> -w /secure
>
The '-w' option is for backwards compatibility with the original
(RHEL4) implementation. What it does it detect what the target is (file
or dir) and then expands into -F path= or -F dir= depending on what the
target was. '-w' should be considered deprecated and is limited in its
capabilities. This is explained in more detail on the auditctl man page.
-Steve
More information about the Linux-audit
mailing list