"Watch"ing a directory
Pete Briggs
pbriggs at ll.mit.edu
Wed Aug 22 15:40:00 UTC 2007
Once I tried something like touching a file, this worked as advertised,
I'm using kernel:
2.6.21-1.3194.fc7
on Fedora 7
Thanks again - Pete Briggs
On Wed, 2007-08-22 at 10:36 -0400, Steve Grubb wrote:
> On Wednesday 22 August 2007 10:17:37 Pete Briggs wrote:
> > Is there any way to put a watch on a directory,
>
> Sort of...RHEL5.1 will have subtree auditing working in it. Al Viro also sent
> the patch upstream and should land in 2.6.23 or 24.
>
> > so that an audit record will be generated if anyone cd's to that directory.
>
> Not for cd'ing into a directory. They have to attempt to read, write, change
> an attribute, or execute a file.
>
> > I've tried things like:
> >
> > -w /etc/audit/ -k ACCESS_AUDIT
>
> That is how you would watch a directory with current audit package and kernel
> with the subtree auditing patch.
>
> > but the rule never seems to get invoked. I'm running FC7 with
> > audit-1.5.3
>
> They have to actually do something for it to trip...assuming you have a kernel
> that supports it.
>
> -Steve
>
More information about the Linux-audit
mailing list