* Qusetion on logging file deletions with auditd
@ 2007-01-31 1:49 Walt Powell
2007-02-05 14:07 ` Steve Grubb
0 siblings, 1 reply; 2+ messages in thread
From: Walt Powell @ 2007-01-31 1:49 UTC (permalink / raw)
To: linux-audit
[-- Attachment #1.1: Type: text/plain, Size: 229 bytes --]
What would the appropriate syscall be in the audit.rules file to log file deletions with auditd? I'm thinking the syntax would be something akin to -w entry, always -S delete, but that doesn't seem to work...
Thanks to all...
[-- Attachment #1.2: Type: text/html, Size: 646 bytes --]
[-- Attachment #2: Type: text/plain, Size: 0 bytes --]
^ permalink raw reply [flat|nested] 2+ messages in thread
* Re: Qusetion on logging file deletions with auditd
2007-01-31 1:49 Qusetion on logging file deletions with auditd Walt Powell
@ 2007-02-05 14:07 ` Steve Grubb
0 siblings, 0 replies; 2+ messages in thread
From: Steve Grubb @ 2007-02-05 14:07 UTC (permalink / raw)
To: linux-audit
On Tuesday 30 January 2007 20:49, Walt Powell wrote:
> What would the appropriate syscall be in the audit.rules file to log file
> deletions with auditd?
Assuming current upstream kernel...In terms of watches, I think deletion is
considered a write. But if you audit writes like this:
auditctl -w /var/log/messages -p w -k delete-logs
you will likely get more than you asked for. So, you could do it this way:
auditctl -a exit,always -S unlink -F path=/var/log/messages -F key=delete-logs
and then find them with:
ausearch --start today -k delete-logs
-Steve
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2007-02-05 14:07 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2007-01-31 1:49 Qusetion on logging file deletions with auditd Walt Powell
2007-02-05 14:07 ` Steve Grubb
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox