From mboxrd@z Thu Jan  1 00:00:00 1970
From: Steve Grubb <sgrubb@redhat.com>
Subject: Re: RHEL 4, Auditing
Date: Tue, 20 Jul 2010 08:24:44 -0400
Message-ID: <201007200824.44949.sgrubb@redhat.com>
References: <AANLkTimLTklVyMJwiOj4rpTN-jbwyTPRjt3unfpxUsFy@mail.gmail.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Return-path: <linux-audit-bounces@redhat.com>
In-Reply-To: <AANLkTimLTklVyMJwiOj4rpTN-jbwyTPRjt3unfpxUsFy@mail.gmail.com>
List-Unsubscribe: <https://www.redhat.com/mailman/options/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/linux-audit>
List-Post: <mailto:linux-audit@redhat.com>
List-Help: <mailto:linux-audit-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=subscribe>
Sender: linux-audit-bounces@redhat.com
Errors-To: linux-audit-bounces@redhat.com
To: linux-audit@redhat.com
List-Id: linux-audit@redhat.com

On Tuesday, July 20, 2010 08:04:02 am List Quest wrote:
> I trying RHEL 4.x series auditing.
> 
> Example:
> Audit version: audit-1.0.15-3.EL4
> 
> -w /root -p w
> 
> config line added to audit.rules; but this config watch only "/root"
> directory writes. Do not watch "/root/Desktop", "/root/test", etc...
> 
> I can't recusive directory watch; like audit version audit-1.7.17-3
> 
> How this?

That is correct. The first iteration of the audit system has some limitations 
that were fixed over time. For example, another thing you cannot do on the 
older kernels is add a key to syscall rules.

-Steve