Format for multiple syscalss in a rule
Steve Grubb
sgrubb at redhat.com
Tue Mar 28 18:25:17 UTC 2006
On Tuesday 28 March 2006 13:15, Mont Rothstein wrote:
> Could someone please enlighten me? I am trying to audit all access to
> files (read, write, remove). I believe all I need to do is audit open,
> write, and rmdir in a single rule. I just can't figure out how to format
> it.
This is in the latest capp.rules file. To find the file:
[~]$ rpm -ql audit | grep capp
/usr/share/doc/audit-1.0.14/capp.rules
in it:
## File content modification. Permissions are checked at open time,
## monitoring individual read/write calls is not useful.
-a entry,possible -S creat -S open -S truncate -S truncate64 -S ftruncate -S ftruncate64
## directory operations
-a entry,possible -S mkdir -S rmdir
## moving, removing, and linking
-a entry,possible -S unlink -S rename -S link -S symlink
I recommend combining rules where possible since this improves
the overall performance...it has fewer rules to iterate through.
-Steve
More information about the Linux-audit
mailing list