From mboxrd@z Thu Jan 1 00:00:00 1970 From: Pete Briggs Subject: Re: "Watch"ing a directory Date: Wed, 22 Aug 2007 11:40:00 -0400 Message-ID: <1187797200.3151.133.camel@prudence.llan.ll.mit.edu> References: <6F2A8C9C4C5BE446A17B745BBC856EEB5A6D37@XMBTX113.northgrum.com> <6F2A8C9C4C5BE446A17B745BBC856EEB5A6D41@XMBTX113.northgrum.com> <1187792258.3151.108.camel@prudence.llan.ll.mit.edu> <200708221036.35928.sgrubb@redhat.com> Reply-To: pbriggs@ll.mit.edu Mime-Version: 1.0 Content-Type: text/plain Content-Transfer-Encoding: 7bit Return-path: In-Reply-To: <200708221036.35928.sgrubb@redhat.com> List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: Steve Grubb Cc: "NENTWIG, CHRISTOPHER R." , linux-audit@redhat.com, "GIOVANNUCCI JR, ROBERT F." , "HEALEY-DYSZCZYK , PAMELA J." List-Id: linux-audit@redhat.com Once I tried something like touching a file, this worked as advertised, I'm using kernel: 2.6.21-1.3194.fc7 on Fedora 7 Thanks again - Pete Briggs On Wed, 2007-08-22 at 10:36 -0400, Steve Grubb wrote: > On Wednesday 22 August 2007 10:17:37 Pete Briggs wrote: > > Is there any way to put a watch on a directory, > > Sort of...RHEL5.1 will have subtree auditing working in it. Al Viro also sent > the patch upstream and should land in 2.6.23 or 24. > > > so that an audit record will be generated if anyone cd's to that directory. > > Not for cd'ing into a directory. They have to attempt to read, write, change > an attribute, or execute a file. > > > I've tried things like: > > > > -w /etc/audit/ -k ACCESS_AUDIT > > That is how you would watch a directory with current audit package and kernel > with the subtree auditing patch. > > > but the rule never seems to get invoked. I'm running FC7 with > > audit-1.5.3 > > They have to actually do something for it to trip...assuming you have a kernel > that supports it. > > -Steve >