Auditing write syscall
Ondra N.
ondrysak at gmail.com
Mon May 13 19:43:54 UTC 2019
Hello,
I would like to ask a question about auditing write syscalls. I am trying
to monitor all filesystem changes in a specific directory and process the
changes in near real time - audispd, was very helpful with that.
What concerns me is what if a filedescriptor is kept open for long periods
of time and written to once in a while? Only the open syscall is logged
when using a rule like this one.
auditctl -w /tmp/rnd_pop -p wa -k test_key
I was thinking that maybe being more explicit about what I want to do could
help like setting up a rule like this one.
auditctl -a always,exit -F dir=/tmp/rnd_pop -F perm=w -F succes=1 -k
test_key
But it doesnt seem to work for me, I guess I cannot filter write syscall by
directory because nothing ever shows up in the audit.log with a rule like
this.
What is the intended way to achieve logging of write syscalls in specific
directory, am i missing something? Should I check myself if the file is
still open when event is being processed and act accordingly?
Best regards,
Ondrej
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/linux-audit/attachments/20190513/a6090ca7/attachment.htm>
More information about the Linux-audit
mailing list