"Watch"ing a directory
Steve Grubb
sgrubb at redhat.com
Wed Aug 22 14:36:34 UTC 2007
On Wednesday 22 August 2007 10:17:37 Pete Briggs wrote:
> Is there any way to put a watch on a directory,
Sort of...RHEL5.1 will have subtree auditing working in it. Al Viro also sent
the patch upstream and should land in 2.6.23 or 24.
> so that an audit record will be generated if anyone cd's to that directory.
Not for cd'ing into a directory. They have to attempt to read, write, change
an attribute, or execute a file.
> I've tried things like:
>
> -w /etc/audit/ -k ACCESS_AUDIT
That is how you would watch a directory with current audit package and kernel
with the subtree auditing patch.
> but the rule never seems to get invoked. I'm running FC7 with
> audit-1.5.3
They have to actually do something for it to trip...assuming you have a kernel
that supports it.
-Steve
More information about the Linux-audit
mailing list