What's the difference between -F dir=XX and -w?
Bryan Harris
bryanlharris at me.com
Fri Jan 3 08:12:51 UTC 2014
Hi Aaron,
On Jan 3, 2014, at 12:30 AM, Aaron Lewis <the.warl0ck.1989 at gmail.com> wrote:
> Hi,
>
> What's the difference between -F dir=XX and -w?
>
> -a exit,always -F arch=b64 -S open -F success=1 -F dir=/secure
>
> versus
>
> -w /secure
>
I'm new to audit but I did a search and after a while found an old thread. I think -w /path is essentially expanded to be -F dir=/path rule except they don't put the -F arch=b64. I guess architecture may not matter for open() but that's just a guess.
Here it is,
https://www.redhat.com/archives/linux-audit/2013-September/msg00057.html
V/r,
Bryan
More information about the Linux-audit
mailing list