Audit watches on NFS mounts
Vaughn, Chad M
chad.m.vaughn at lmco.com
Thu Oct 20 14:42:07 UTC 2016
I noticed a weird behavior. I NFS mount /usr/local on my Redhat machines.
If I put a watch for a directory in that NFS mount:
-w /usr/local/mywatchdir/ -p rwxa -F exit!=-ENODATA -F success!=1 -k watch
On Redhat 6.4, I don't see audit events when trying to remove or change files in that dir.
On Redhat 6.8, I do see the audit events when trying to remove or changes files in that dir.
Any ideas of possible features added to auditd between those releases? I would like to be able to speak to it for security audits.
More information about the Linux-audit
mailing list