auditctl rule to monitor dir only (not all sub dir and files etc..)

auditctl rule to monitor dir only (not all sub dir and files etc..)

[Stefano Schiavi]

[-- Attachment #1.1: Type: text/plain, Size: 549 bytes --]

I am trying to use auditd to monitor changes to a directory. The problem 
is that when I setup a rule it does monitor the dir I specified but also 
all the sub dir and files making the monitor useless due to endless 
verbosity.

Here is the rule I setup:

|auditctl-w/home/raven/public_html-p war-k raven-pubhtmlwatch|

when I search the logs using

|ausearch-k raven-pubhtmlwatch|

I get thousands of lines of logs that list everything under public_html/

How can I limit the rule to changes on the directory specified only?

Thank you very much.


[-- Attachment #1.2: Type: text/html, Size: 1546 bytes --]

[-- Attachment #2: Type: text/plain, Size: 0 bytes --]

Re: auditctl rule to monitor dir only (not all sub dir and files etc..)

[Steve Grubb]

On Thursday, September 26, 2013 05:36:45 PM Stefano Schiavi wrote:
> I am trying to use auditd to monitor changes to a directory. The problem
> is that when I setup a rule it does monitor the dir I specified but also
> all the sub dir and files making the monitor useless due to endless
> verbosity.
> 
> Here is the rule I setup:
> |auditctl-w/home/raven/public_html-p war-k raven-pubhtmlwatch|

A watch is really a syscall rule in disguise. If you place a watch on a
directory, auditctl will turn it into:

-a exit,always  -F dir=/home/raven/public_html -F perm=war -F key=raven-pubhtmlwatch

The -F dir field is recursive. However, if you just want to watch the directory
entries, you can change that to -F path.

-a exit,always  -F path=/home/raven/public_html -F perm=war -F key=raven-pubhtmlwatch

This is not recursive and just watches the inode that the directory occupies.

-Steve

Re: auditctl rule to monitor dir only (not all sub dir and files etc..)

[Stefano Schiavi]

[-- Attachment #1.1: Type: text/plain, Size: 1235 bytes --]

Thank you so much Steve!

Do you know how to set this up via "auditctl" ?

I was not able to find a way looking at:
[~]# auditctl -help

Otherwise where would I edit the rule? (it's not in the .rules file, but 
it is displayed if I auditctl -l)

Thank you so much
Stefano

On 09/26/2013 08:25 PM, Steve Grubb wrote:
> On Thursday, September 26, 2013 05:36:45 PM Stefano Schiavi wrote:
>> I am trying to use auditd to monitor changes to a directory. The problem
>> is that when I setup a rule it does monitor the dir I specified but also
>> all the sub dir and files making the monitor useless due to endless
>> verbosity.
>>
>> Here is the rule I setup:
>> |auditctl-w/home/raven/public_html-p war-k raven-pubhtmlwatch|
> A watch is really a syscall rule in disguise. If you place a watch on a
> directory, auditctl will turn it into:
>
> -a exit,always  -F dir=/home/raven/public_html -F perm=war -F key=raven-pubhtmlwatch
>
> The -F dir field is recursive. However, if you just want to watch the directory
> entries, you can change that to -F path.
>
> -a exit,always  -F path=/home/raven/public_html -F perm=war -F key=raven-pubhtmlwatch
>
> This is not recursive and just watches the inode that the directory occupies.
>
> -Steve


[-- Attachment #1.2: Type: text/html, Size: 1792 bytes --]

[-- Attachment #2: Type: text/plain, Size: 0 bytes --]