From mboxrd@z Thu Jan  1 00:00:00 1970
From: "Ameel Kamboh" <akamboh@nortel.com>
Subject: Watch in audit 1.6
Date: Tue, 20 Jan 2009 11:11:52 -0500
Message-ID: <4620668FFAA3D5458A691287D9DDAD11AA0C3C@zrtphxm2.corp.nortel.com>
Mime-Version: 1.0
Content-Type: multipart/mixed; boundary="===============0177350722=="
Return-path: <linux-audit-bounces@redhat.com>
Received: from mx1.redhat.com (mx1.redhat.com [172.16.48.31])
	by int-mx1.corp.redhat.com (8.13.1/8.13.1) with ESMTP id n0KGCBcE017355
	for <linux-audit@redhat.com>; Tue, 20 Jan 2009 11:12:11 -0500
Received: from zrtps0kn.nortel.com (zrtps0kn.nortel.com [47.140.192.55])
	by mx1.redhat.com (8.13.8/8.13.8) with ESMTP id n0KGBtDQ023335
	for <linux-audit@redhat.com>; Tue, 20 Jan 2009 11:11:55 -0500
Received: from zrtphxm2.corp.nortel.com (zrtphxm2.corp.nortel.com
	[47.140.202.51])
	by zrtps0kn.nortel.com (Switch-2.2.6/Switch-2.2.0) with ESMTP id
	n0KGBrU28259
	for <linux-audit@redhat.com>; Tue, 20 Jan 2009 16:11:53 GMT
Content-class: urn:content-classes:message
List-Unsubscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/linux-audit>
List-Post: <mailto:linux-audit@redhat.com>
List-Help: <mailto:linux-audit-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=subscribe>
Sender: linux-audit-bounces@redhat.com
Errors-To: linux-audit-bounces@redhat.com
To: linux-audit@redhat.com
List-Id: linux-audit@redhat.com

This is a multi-part message in MIME format.

--===============0177350722==
Content-class: urn:content-classes:message
Content-Type: multipart/alternative;
	boundary="----_=_NextPart_001_01C97B19.CEB332E1"

This is a multi-part message in MIME format.

------_=_NextPart_001_01C97B19.CEB332E1
Content-Type: text/plain;
	charset="us-ascii"
Content-Transfer-Encoding: quoted-printable

We are using audit 1.6 in our system.
When I add a watch rule for write and append to a directory, the log
will report any changes to the directory and all the sub directories as
well.
Is there a way to exclude watching sub directories as well.

Example:

Watch directory /var/mydir

The tree for mydir is as follows:

 /var/mydir
     |
     ---- runtime
     |
     ---- dir1
     |
     ---- dir2

I would like to watch /var/mydir + /var/mydir/dir1 + /var/mydir/dir2,
but exclude /var/mydir/runtime

Rule:
  -w /var/mydir -p aw

Is there a way to do what I am asking?

Ameel Kamboh
SIP Core Network and Security=20
Phone: 972.685.4922 (esn 445-4922)
Mobile: 978-590-2280
SIP: akamboh@techtrial.com
email: akamboh@nortel.com




------_=_NextPart_001_01C97B19.CEB332E1
Content-Type: text/html;
	charset="us-ascii"
Content-Transfer-Encoding: quoted-printable

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
<HTML>
<HEAD>
<META HTTP-EQUIV=3D"Content-Type" CONTENT=3D"text/html; =
charset=3Dus-ascii">
<META NAME=3D"Generator" CONTENT=3D"MS Exchange Server version =
6.5.7653.38">
<TITLE>Watch in audit 1.6</TITLE>
</HEAD>
<BODY>
<!-- Converted from text/rtf format -->

<P><FONT SIZE=3D2 FACE=3D"Arial">We are using audit 1.6 in our =
system.</FONT>

<BR><FONT SIZE=3D2 FACE=3D"Arial">When I add a watch rule for write and =
append to a directory, the log will report any changes to the directory =
and all the sub directories as well.</FONT></P>

<P><FONT SIZE=3D2 FACE=3D"Arial">Is there a way to exclude watching sub =
directories as well.</FONT>
</P>

<P><FONT SIZE=3D2 FACE=3D"Arial">Example:</FONT>
</P>

<P><FONT SIZE=3D2 FACE=3D"Arial">Watch directory /var/mydir</FONT>
</P>

<P><FONT SIZE=3D2 FACE=3D"Arial">The tree for mydir is as =
follows:</FONT>
</P>

<P><FONT SIZE=3D2 FACE=3D"Arial">&nbsp;/var/mydir</FONT>

<BR><FONT SIZE=3D2 FACE=3D"Arial">&nbsp;&nbsp;&nbsp;&nbsp; |</FONT>

<BR><FONT SIZE=3D2 FACE=3D"Arial">&nbsp;&nbsp;&nbsp;&nbsp; ---- =
runtime</FONT>

<BR><FONT SIZE=3D2 FACE=3D"Arial">&nbsp;&nbsp;&nbsp;&nbsp; |</FONT>

<BR><FONT SIZE=3D2 FACE=3D"Arial">&nbsp;&nbsp;&nbsp;&nbsp; ---- =
dir1</FONT>

<BR><FONT SIZE=3D2 FACE=3D"Arial">&nbsp;&nbsp;&nbsp;&nbsp; |</FONT>

<BR><FONT SIZE=3D2 FACE=3D"Arial">&nbsp;&nbsp;&nbsp;&nbsp; ---- =
dir2</FONT>
</P>

<P><FONT SIZE=3D2 FACE=3D"Arial">I would like to watch /var/mydir + =
/var/mydir/dir1 + /var/mydir/dir2, but exclude /var/mydir/runtime</FONT>
</P>

<P><FONT SIZE=3D2 FACE=3D"Arial">Rule:</FONT>

<BR><FONT SIZE=3D2 FACE=3D"Arial">&nbsp; -w /var/mydir -p aw</FONT>
</P>

<P><FONT SIZE=3D2 FACE=3D"Arial">Is there a way to do what I am =
asking?</FONT>
</P>

<P><B><I><SPAN LANG=3D"ko"><FONT COLOR=3D"#008080" FACE=3D"Batang">Ameel =
Kamboh</FONT></SPAN></I></B>

<BR><I><SPAN LANG=3D"en-us"><FONT COLOR=3D"#800000" SIZE=3D2 =
FACE=3D"Arial">SIP Core</FONT></SPAN></I><SPAN LANG=3D"en-us"><FONT =
COLOR=3D"#800000" SIZE=3D2 FACE=3D"Arial"> Network and Security =
</FONT></SPAN>

<BR><SPAN LANG=3D"fr"><FONT COLOR=3D"#FF0000" SIZE=3D2 =
FACE=3D"Arial">Phone</FONT><FONT SIZE=3D2 FACE=3D"Arial">: 972.685.4922 =
(esn 445-4922)</FONT></SPAN>

<BR><SPAN LANG=3D"fr"><FONT COLOR=3D"#FF0000" SIZE=3D2 =
FACE=3D"Arial">Mobile</FONT><FONT SIZE=3D2 FACE=3D"Arial">: =
978-590-2280</FONT></SPAN>

<BR><SPAN LANG=3D"fr"><FONT COLOR=3D"#FF0000" SIZE=3D2 =
FACE=3D"Arial">SIP</FONT><FONT SIZE=3D2 FACE=3D"Arial">: =
akamboh@techtrial.com</FONT></SPAN>

<BR><SPAN LANG=3D"fr"><FONT COLOR=3D"#FF0000" SIZE=3D2 =
FACE=3D"Arial">email</FONT><FONT SIZE=3D2 FACE=3D"Arial">: =
</FONT></SPAN><A HREF=3D"mailto:akamboh@nortel.com"><SPAN =
LANG=3D"fr"><U><FONT COLOR=3D"#0000FF" SIZE=3D2 =
FACE=3D"Arial">akamboh@nortel.com</FONT></U></SPAN></A><SPAN =
LANG=3D"fr"></SPAN><SPAN LANG=3D"en-us"></SPAN>
</P>
<BR>
<BR>

</BODY>
</HTML>
------_=_NextPart_001_01C97B19.CEB332E1--


--===============0177350722==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline


--===============0177350722==--

From mboxrd@z Thu Jan  1 00:00:00 1970
From: Steve Grubb <sgrubb@redhat.com>
Subject: Re: Watch in audit 1.6
Date: Tue, 20 Jan 2009 11:54:51 -0500
Message-ID: <200901201154.52310.sgrubb@redhat.com>
References: <4620668FFAA3D5458A691287D9DDAD11AA0C3C@zrtphxm2.corp.nortel.com>
Mime-Version: 1.0
Content-Type: text/plain;
  charset="utf-8"
Content-Transfer-Encoding: 7bit
Return-path: <linux-audit-bounces@redhat.com>
In-Reply-To: <4620668FFAA3D5458A691287D9DDAD11AA0C3C@zrtphxm2.corp.nortel.com>
Content-Disposition: inline
List-Unsubscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/linux-audit>
List-Post: <mailto:linux-audit@redhat.com>
List-Help: <mailto:linux-audit-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=subscribe>
Sender: linux-audit-bounces@redhat.com
Errors-To: linux-audit-bounces@redhat.com
To: linux-audit@redhat.com
List-Id: linux-audit@redhat.com

On Tuesday 20 January 2009 11:11:52 am Ameel Kamboh wrote:
> Is there a way to exclude watching sub directories as well.

Today, not that I know of. A patch was submitted into the latest development 
kernel (2.6.29) to preserve watch ordering. But you will have to make some 
changes to the rules. A typical watch looks like this:

-w /var/mydir -p wa -k mywatch

its the same as:

-a always,exit -F dir=/var/mydir -F perms=wa -F key=mywatch

In the future, you will be able to do:

-a never,exit -F dir=/var/mydir/runtime
-a always,exit -F dir=/var/mydir -F perms=wa -F key=mywatch

in that specific order since first match wins.

-Steve