From mboxrd@z Thu Jan 1 00:00:00 1970 From: Stefano Schiavi Subject: Re: auditctl rule to monitor dir only (not all sub dir and files etc..) Date: Thu, 26 Sep 2013 20:58:45 +0200 Message-ID: <524483E5.20300@gmail.com> References: <5244548D.2080609@gmail.com> <18913033.s01T2HagDj@x2> Mime-Version: 1.0 Content-Type: multipart/mixed; boundary="===============5687588539930879357==" Return-path: In-Reply-To: <18913033.s01T2HagDj@x2> List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: linux-audit@redhat.com List-Id: linux-audit@redhat.com This is a multi-part message in MIME format. --===============5687588539930879357== Content-Type: multipart/alternative; boundary="------------020608040209020604090605" This is a multi-part message in MIME format. --------------020608040209020604090605 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Thank you so much Steve! Do you know how to set this up via "auditctl" ? I was not able to find a way looking at: [~]# auditctl -help Otherwise where would I edit the rule? (it's not in the .rules file, but it is displayed if I auditctl -l) Thank you so much Stefano On 09/26/2013 08:25 PM, Steve Grubb wrote: > On Thursday, September 26, 2013 05:36:45 PM Stefano Schiavi wrote: >> I am trying to use auditd to monitor changes to a directory. The problem >> is that when I setup a rule it does monitor the dir I specified but also >> all the sub dir and files making the monitor useless due to endless >> verbosity. >> >> Here is the rule I setup: >> |auditctl-w/home/raven/public_html-p war-k raven-pubhtmlwatch| > A watch is really a syscall rule in disguise. If you place a watch on a > directory, auditctl will turn it into: > > -a exit,always -F dir=/home/raven/public_html -F perm=war -F key=raven-pubhtmlwatch > > The -F dir field is recursive. However, if you just want to watch the directory > entries, you can change that to -F path. > > -a exit,always -F path=/home/raven/public_html -F perm=war -F key=raven-pubhtmlwatch > > This is not recursive and just watches the inode that the directory occupies. > > -Steve --------------020608040209020604090605 Content-Type: text/html; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Thank you so much Steve!

Do you know how to set this up via "auditctl" ?

I was not able to find a way looking at:
[~]# auditctl -help

Otherwise where would I edit the rule? (it's not in the .rules file, but it is displayed if I auditctl -l)

Thank you so much
Stefano

On 09/26/2013 08:25 PM, Steve Grubb wrote:

On Thursday, September 26, 2013 05:36:45 PM Stefano Schiavi wrote:

I am trying to use auditd to monitor changes to a directory. The problem
is that when I setup a rule it does monitor the dir I specified but also
all the sub dir and files making the monitor useless due to endless
verbosity.

Here is the rule I setup:
|auditctl-w/home/raven/public_html-p war-k raven-pubhtmlwatch|

A watch is really a syscall rule in disguise. If you place a watch on a
directory, auditctl will turn it into:

-a exit,always  -F dir=/home/raven/public_html -F perm=war -F key=raven-pubhtmlwatch

The -F dir field is recursive. However, if you just want to watch the directory
entries, you can change that to -F path.

-a exit,always  -F path=/home/raven/public_html -F perm=war -F key=raven-pubhtmlwatch

This is not recursive and just watches the inode that the directory occupies.

-Steve

--------------020608040209020604090605-- --===============5687588539930879357== Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline --===============5687588539930879357==--