A question about the directory watch in audit_tree.c in kernel
Steve Grubb
sgrubb at redhat.com
Tue May 20 12:41:48 UTC 2008
On Tuesday 20 May 2008 08:06:12 am Kevin Boyce wrote:
> Correct me if I am wrong, but in doing the auditctl -w /home, the only
> thing that is being audited is the inode entry for the directory itself.
Not in new kernels. I think starting in 2.6.24 we have the ability to
recursively audit to the bottom of a given directory tree.
-Steve
More information about the Linux-audit
mailing list