<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body text="#000000" bgcolor="#FFFFFF">
<font face="Verdana">Thank you so much Steve!<br>
<br>
Do you know how to set this up via "auditctl" ?<br>
<br>
I was not able to find a way looking at:<br>
[~]# auditctl -help<br>
<br>
Otherwise where would I edit the rule? (it's not in the .rules
file, but it is displayed if I auditctl -l)<br>
<br>
Thank you so much<br>
Stefano<br>
<br>
</font>
<div class="moz-cite-prefix">On 09/26/2013 08:25 PM, Steve Grubb
wrote:<br>
</div>
<blockquote cite="mid:18913033.s01T2HagDj@x2" type="cite">
<pre wrap="">On Thursday, September 26, 2013 05:36:45 PM Stefano Schiavi wrote:
</pre>
<blockquote type="cite">
<pre wrap="">I am trying to use auditd to monitor changes to a directory. The problem
is that when I setup a rule it does monitor the dir I specified but also
all the sub dir and files making the monitor useless due to endless
verbosity.
Here is the rule I setup:
|auditctl-w/home/raven/public_html-p war-k raven-pubhtmlwatch|
</pre>
</blockquote>
<pre wrap="">
A watch is really a syscall rule in disguise. If you place a watch on a
directory, auditctl will turn it into:
-a exit,always -F dir=/home/raven/public_html -F perm=war -F key=raven-pubhtmlwatch
The -F dir field is recursive. However, if you just want to watch the directory
entries, you can change that to -F path.
-a exit,always -F path=/home/raven/public_html -F perm=war -F key=raven-pubhtmlwatch
This is not recursive and just watches the inode that the directory occupies.
-Steve
</pre>
</blockquote>
<br>
</body>
</html>