Watch in audit 1.6
Steve Grubb
sgrubb at redhat.com
Tue Jan 20 16:54:51 UTC 2009
On Tuesday 20 January 2009 11:11:52 am Ameel Kamboh wrote:
> Is there a way to exclude watching sub directories as well.
Today, not that I know of. A patch was submitted into the latest development
kernel (2.6.29) to preserve watch ordering. But you will have to make some
changes to the rules. A typical watch looks like this:
-w /var/mydir -p wa -k mywatch
its the same as:
-a always,exit -F dir=/var/mydir -F perms=wa -F key=mywatch
In the future, you will be able to do:
-a never,exit -F dir=/var/mydir/runtime
-a always,exit -F dir=/var/mydir -F perms=wa -F key=mywatch
in that specific order since first match wins.
-Steve
More information about the Linux-audit
mailing list