auditctl rule to monitor dir only (not all sub dir and files etc..)
Steve Grubb
sgrubb at redhat.com
Thu Sep 26 18:25:32 UTC 2013
On Thursday, September 26, 2013 05:36:45 PM Stefano Schiavi wrote:
> I am trying to use auditd to monitor changes to a directory. The problem
> is that when I setup a rule it does monitor the dir I specified but also
> all the sub dir and files making the monitor useless due to endless
> verbosity.
>
> Here is the rule I setup:
> |auditctl-w/home/raven/public_html-p war-k raven-pubhtmlwatch|
A watch is really a syscall rule in disguise. If you place a watch on a
directory, auditctl will turn it into:
-a exit,always -F dir=/home/raven/public_html -F perm=war -F key=raven-pubhtmlwatch
The -F dir field is recursive. However, if you just want to watch the directory
entries, you can change that to -F path.
-a exit,always -F path=/home/raven/public_html -F perm=war -F key=raven-pubhtmlwatch
This is not recursive and just watches the inode that the directory occupies.
-Steve
More information about the Linux-audit
mailing list