Re: auditctl rule to monitor dir only (not all sub dir and files etc..)

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Stefano Schiavi <stefanoschiavi00@gmail.com>
To: linux-audit@redhat.com
Subject: Re: auditctl rule to monitor dir only (not all sub dir and files etc..)
Date: Thu, 26 Sep 2013 20:58:45 +0200	[thread overview]
Message-ID: <524483E5.20300@gmail.com> (raw)
In-Reply-To: <18913033.s01T2HagDj@x2>


[-- Attachment #1.1: Type: text/plain, Size: 1235 bytes --]

Thank you so much Steve!

Do you know how to set this up via "auditctl" ?

I was not able to find a way looking at:
[~]# auditctl -help

Otherwise where would I edit the rule? (it's not in the .rules file, but 
it is displayed if I auditctl -l)

Thank you so much
Stefano

On 09/26/2013 08:25 PM, Steve Grubb wrote:
> On Thursday, September 26, 2013 05:36:45 PM Stefano Schiavi wrote:
>> I am trying to use auditd to monitor changes to a directory. The problem
>> is that when I setup a rule it does monitor the dir I specified but also
>> all the sub dir and files making the monitor useless due to endless
>> verbosity.
>>
>> Here is the rule I setup:
>> |auditctl-w/home/raven/public_html-p war-k raven-pubhtmlwatch|
> A watch is really a syscall rule in disguise. If you place a watch on a
> directory, auditctl will turn it into:
>
> -a exit,always  -F dir=/home/raven/public_html -F perm=war -F key=raven-pubhtmlwatch
>
> The -F dir field is recursive. However, if you just want to watch the directory
> entries, you can change that to -F path.
>
> -a exit,always  -F path=/home/raven/public_html -F perm=war -F key=raven-pubhtmlwatch
>
> This is not recursive and just watches the inode that the directory occupies.
>
> -Steve


[-- Attachment #1.2: Type: text/html, Size: 1792 bytes --]

[-- Attachment #2: Type: text/plain, Size: 0 bytes --]

     prev parent reply	other threads:[~2013-09-26 18:58 UTC|newest]

Thread overview: 3+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2013-09-26 15:36 auditctl rule to monitor dir only (not all sub dir and files etc..) Stefano Schiavi
2013-09-26 18:25 ` Steve Grubb
2013-09-26 18:58   ` Stefano Schiavi [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=524483E5.20300@gmail.com \
    --to=stefanoschiavi00@gmail.com \
    --cc=linux-audit@redhat.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.