On Wednesday 22 August 2007 10:17:37 Pete Briggs wrote: > Is there any way to put a watch on a directory,
Sort of...RHEL5.1 will have subtree auditing working in it. Al Viro also sent the patch upstream and should land in 2.6.23 or 24. > so that an audit record will be generated if anyone cd's to that directory. Not for cd'ing into a directory. They have to attempt to read, write, change an attribute, or execute a file. > I've tried things like: > > -w /etc/audit/ -k ACCESS_AUDIT That is how you would watch a directory with current audit package and kernel with the subtree auditing patch. > but the rule never seems to get invoked. I'm running FC7 with > audit-1.5.3 They have to actually do something for it to trip...assuming you have a kernel that supports it. -Steve -- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
