Watch in audit 1.6

Watch in audit 1.6

[Ameel Kamboh]

[-- Attachment #1.1: Type: text/plain, Size: 765 bytes --]

We are using audit 1.6 in our system.
When I add a watch rule for write and append to a directory, the log
will report any changes to the directory and all the sub directories as
well.
Is there a way to exclude watching sub directories as well.

Example:

Watch directory /var/mydir

The tree for mydir is as follows:

 /var/mydir
     |
     ---- runtime
     |
     ---- dir1
     |
     ---- dir2

I would like to watch /var/mydir + /var/mydir/dir1 + /var/mydir/dir2,
but exclude /var/mydir/runtime

Rule:
  -w /var/mydir -p aw

Is there a way to do what I am asking?

Ameel Kamboh
SIP Core Network and Security 
Phone: 972.685.4922 (esn 445-4922)
Mobile: 978-590-2280
SIP: akamboh@techtrial.com
email: akamboh@nortel.com




[-- Attachment #1.2: Type: text/html, Size: 2778 bytes --]

[-- Attachment #2: Type: text/plain, Size: 0 bytes --]

Re: Watch in audit 1.6

[Steve Grubb]

On Tuesday 20 January 2009 11:11:52 am Ameel Kamboh wrote:
> Is there a way to exclude watching sub directories as well.

Today, not that I know of. A patch was submitted into the latest development 
kernel (2.6.29) to preserve watch ordering. But you will have to make some 
changes to the rules. A typical watch looks like this:

-w /var/mydir -p wa -k mywatch

its the same as:

-a always,exit -F dir=/var/mydir -F perms=wa -F key=mywatch

In the future, you will be able to do:

-a never,exit -F dir=/var/mydir/runtime
-a always,exit -F dir=/var/mydir -F perms=wa -F key=mywatch

in that specific order since first match wins.

-Steve