audit rules watching paths

audit rules watching paths

[Warron French]

I know that I can add to the audit.rules file a rule like

-w /etc/ -p rawx -k watch_Etc

But how far down will this sort of audit rule monitor /etc/?  How many 
levels deep?


Thanks.

Re: audit rules watching paths

[Steve Grubb]

On Saturday, March 11, 2017 11:48:53 PM EDT Warron French wrote:
> I know that I can add to the audit.rules file a rule like
> 
> -w /etc/ -p rawx -k watch_Etc
> 
> But how far down will this sort of audit rule monitor /etc/?  How many
> levels deep?

The "-w /etc" is the same thing as "-F dir=/etc". They both go down all the 
way until you hit a new mount point. So, for the sake of discussion, suppose 
/dev/sdb3 was mounted at /etc/sysconfig/, then anything under /etc/sysconfig/ 
will not be audited. To fix this, you need to add a rule with the -q option to 
tell the kernel that the mounted file system should be considered equivalent to 
the directory being watched.

I also think that if you have any symlinks that point out of the subtree, that 
they may not get watched because they actually resolve to another path. I'd 
have to test that to be 100% sure, though.

Also note that during path resolution if there is a permission problem at a 
directory level and the object was below it, you may not get an event or only 
an event at the directory where the permission was blocked.

-Steve