From mboxrd@z Thu Jan  1 00:00:00 1970
From: Steve Grubb <sgrubb@redhat.com>
Subject: Re: Using audit as extended inotify
Date: Tue, 28 Jul 2015 15:30:02 -0400
Message-ID: <4295366.TZWZoNTLeN@x2>
References: <CAJwFvsVE2csA1hJoiShDH_mQS0no1n_Fn+DrhjYu2zs6i8PboA@mail.gmail.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Return-path: <linux-audit-bounces@redhat.com>
In-Reply-To: <CAJwFvsVE2csA1hJoiShDH_mQS0no1n_Fn+DrhjYu2zs6i8PboA@mail.gmail.com>
List-Unsubscribe: <https://www.redhat.com/mailman/options/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/linux-audit>
List-Post: <mailto:linux-audit@redhat.com>
List-Help: <mailto:linux-audit-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=subscribe>
Sender: linux-audit-bounces@redhat.com
Errors-To: linux-audit-bounces@redhat.com
To: linux-audit@redhat.com
Cc: Tyler Hardin <th020394@gmail.com>
List-Id: linux-audit@redhat.com

On Monday, July 27, 2015 07:30:33 PM Tyler Hardin wrote:
> I want to monitor file and directory creation, modification, and deletion
> on some large subtrees (/etc/, /usr/share/, and ~/.config/). And I want the
> name of the executable that caused the event. The purpose will be to
> facilitate cruft detection and removal.

You cannot use globbing in the path.

 
> Can audit do this? Will using it to do this with such large subtrees become
> a performance issue?

It sort of can. You can monitor directory creation, file creation, and 
deletion. Modification is where you start to have an issue. What you can see is 
the file is opened with a write flag. But you have no idea if it actually 
changed the file. You should be able to see the process doing it. But, I think 
you might get a lot of records to process. Give it a try.

-Steve