audit rules watching paths
Steve Grubb
sgrubb at redhat.com
Sun Mar 12 23:21:43 UTC 2017
On Saturday, March 11, 2017 11:48:53 PM EDT Warron French wrote:
> I know that I can add to the audit.rules file a rule like
>
> -w /etc/ -p rawx -k watch_Etc
>
> But how far down will this sort of audit rule monitor /etc/? How many
> levels deep?
The "-w /etc" is the same thing as "-F dir=/etc". They both go down all the
way until you hit a new mount point. So, for the sake of discussion, suppose
/dev/sdb3 was mounted at /etc/sysconfig/, then anything under /etc/sysconfig/
will not be audited. To fix this, you need to add a rule with the -q option to
tell the kernel that the mounted file system should be considered equivalent to
the directory being watched.
I also think that if you have any symlinks that point out of the subtree, that
they may not get watched because they actually resolve to another path. I'd
have to test that to be 100% sure, though.
Also note that during path resolution if there is a permission problem at a
directory level and the object was below it, you may not get an event or only
an event at the directory where the permission was blocked.
-Steve
More information about the Linux-audit
mailing list