From: Steve Grubb <sgrubb@redhat.com>
To: linux-audit@redhat.com
Cc: Tyler Hardin <th020394@gmail.com>
Subject: Re: Using audit as extended inotify
Date: Tue, 28 Jul 2015 15:30:02 -0400 [thread overview]
Message-ID: <4295366.TZWZoNTLeN@x2> (raw)
In-Reply-To: <CAJwFvsVE2csA1hJoiShDH_mQS0no1n_Fn+DrhjYu2zs6i8PboA@mail.gmail.com>
On Monday, July 27, 2015 07:30:33 PM Tyler Hardin wrote:
> I want to monitor file and directory creation, modification, and deletion
> on some large subtrees (/etc/, /usr/share/, and ~/.config/). And I want the
> name of the executable that caused the event. The purpose will be to
> facilitate cruft detection and removal.
You cannot use globbing in the path.
> Can audit do this? Will using it to do this with such large subtrees become
> a performance issue?
It sort of can. You can monitor directory creation, file creation, and
deletion. Modification is where you start to have an issue. What you can see is
the file is opened with a write flag. But you have no idea if it actually
changed the file. You should be able to see the process doing it. But, I think
you might get a lot of records to process. Give it a try.
-Steve
prev parent reply other threads:[~2015-07-28 19:30 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-07-27 23:30 Using audit as extended inotify Tyler Hardin
2015-07-28 19:30 ` Steve Grubb [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4295366.TZWZoNTLeN@x2 \
--to=sgrubb@redhat.com \
--cc=linux-audit@redhat.com \
--cc=th020394@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).