Auditing File Changes
Steve Grubb
sgrubb at redhat.com
Mon Jul 10 17:44:01 UTC 2006
On Monday 10 July 2006 13:29, eklinger at uci.edu wrote:
> Please forgive me if this has been asked, but will the file watch
> functionality
We only go after an open command with write permission turned on. The case
being that you can fill up your logs quickly by intercepting all writes.
> be able to intercept writes and/or be able to intercept the
> actual changes to the file and report those, in addition to the fact that
> the file was modified?
No, it will not. If you need to see actual changes, then you need to
instrument the program in question to log changes. You can look at passwd or
hwclock as an example of this.
-Steve
More information about the Linux-audit
mailing list