From mboxrd@z Thu Jan 1 00:00:00 1970 From: LC Bruzenak Subject: Re: A question about the directory watch in audit_tree.c in kernel Date: Thu, 22 May 2008 07:28:13 -0500 Message-ID: <1211459293.6597.9.camel@homeserver> References: <001701c8ba16$77c11ad0$2e8da70a@fnste3fa5f55c4> <1211285172.20187.20.camel@pc070168.northgrum.com> <002501c8bae4$b3491480$2e8da70a@fnste3fa5f55c4> <200805211103.34938.sgrubb@redhat.com> Mime-Version: 1.0 Content-Type: text/plain Content-Transfer-Encoding: 7bit Return-path: In-Reply-To: <200805211103.34938.sgrubb@redhat.com> List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: Steve Grubb Cc: linux-audit@redhat.com List-Id: linux-audit@redhat.com On Wed, 2008-05-21 at 11:03 -0400, Steve Grubb wrote: ... > > Also, note that -w rules are legacy for compatibility with RHEL4 kernel. They > are used to express simple ideas like watch this file or directory subtree. > If you want tight control over what you are auditing, you should use the > syscall audit format where you can express more details about what you wanted > to trigger on. IOW, you can express that you want changes to a directory > itself rather than the files in the directory. > > -Steve Steve, do any of the syscall directory watches recursively audit to the bottom of a given directory tree? I had kept many "-w" fields in place b/c the man page says they do not impact performance based on the number of rules, and I wanted the full subtree covered. Should look to changing these watches to specific syscall watches in order to not get "legacied out" at some point? Thx, LCB. -- LC (Lenny) Bruzenak lenny@magitekltd.com