* What's the difference between -F dir=XX and -w?
@ 2014-01-03 6:30 Aaron Lewis
2014-01-03 8:12 ` Bryan Harris
2014-01-03 14:18 ` Steve Grubb
0 siblings, 2 replies; 3+ messages in thread
From: Aaron Lewis @ 2014-01-03 6:30 UTC (permalink / raw)
To: linux-audit@redhat.com
Hi,
What's the difference between -F dir=XX and -w?
-a exit,always -F arch=b64 -S open -F success=1 -F dir=/secure
versus
-w /secure
--
Best Regards,
Aaron Lewis - PGP: 0x13714D33 - http://pgp.mit.edu/
Finger Print: 9F67 391B B770 8FF6 99DC D92D 87F6 2602 1371 4D33
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: What's the difference between -F dir=XX and -w?
2014-01-03 6:30 What's the difference between -F dir=XX and -w? Aaron Lewis
@ 2014-01-03 8:12 ` Bryan Harris
2014-01-03 14:18 ` Steve Grubb
1 sibling, 0 replies; 3+ messages in thread
From: Bryan Harris @ 2014-01-03 8:12 UTC (permalink / raw)
To: linux-audit
Hi Aaron,
On Jan 3, 2014, at 12:30 AM, Aaron Lewis <the.warl0ck.1989@gmail.com> wrote:
> Hi,
>
> What's the difference between -F dir=XX and -w?
>
> -a exit,always -F arch=b64 -S open -F success=1 -F dir=/secure
>
> versus
>
> -w /secure
>
I'm new to audit but I did a search and after a while found an old thread. I think -w /path is essentially expanded to be -F dir=/path rule except they don't put the -F arch=b64. I guess architecture may not matter for open() but that's just a guess.
Here it is,
https://www.redhat.com/archives/linux-audit/2013-September/msg00057.html
V/r,
Bryan
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: What's the difference between -F dir=XX and -w?
2014-01-03 6:30 What's the difference between -F dir=XX and -w? Aaron Lewis
2014-01-03 8:12 ` Bryan Harris
@ 2014-01-03 14:18 ` Steve Grubb
1 sibling, 0 replies; 3+ messages in thread
From: Steve Grubb @ 2014-01-03 14:18 UTC (permalink / raw)
To: Aaron Lewis; +Cc: linux-audit@redhat.com
On Fri, 3 Jan 2014 14:30:58 +0800
Aaron Lewis <the.warl0ck.1989@gmail.com> wrote:
> What's the difference between -F dir=XX and -w?
>
> -a exit,always -F arch=b64 -S open -F success=1 -F dir=/secure
>
> versus
>
> -w /secure
>
The '-w' option is for backwards compatibility with the original
(RHEL4) implementation. What it does it detect what the target is (file
or dir) and then expands into -F path= or -F dir= depending on what the
target was. '-w' should be considered deprecated and is limited in its
capabilities. This is explained in more detail on the auditctl man page.
-Steve
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2014-01-03 14:18 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2014-01-03 6:30 What's the difference between -F dir=XX and -w? Aaron Lewis
2014-01-03 8:12 ` Bryan Harris
2014-01-03 14:18 ` Steve Grubb
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).