Trying to find what is deleting a directory (/tmp/xauth). Thought I'd start with the basics, and just putting a watch on it.
[EMAIL PROTECTED]:/etc/audit > auditctl -w /testdir/checkdir -p rwxa -k missingfiles [EMAIL PROTECTED]:/etc/audit > auditctl -l|grep missing LIST_RULES: exit,always dir=/testdir/checkdir (0x11) perm=rwxa key=missingfiles [EMAIL PROTECTED]:/etc/audit > ausearch -k missingfiles <no matches> [EMAIL PROTECTED]:/etc/audit > rmdir /testdir/checkdir [EMAIL PROTECTED]:/etc/audit > ausearch -k missingfiles <no matches> [EMAIL PROTECTED]:/etc/audit > auditctl -w /testdir/checkfile -p wrxa -k missingfiles [EMAIL PROTECTED]:/etc/audit > rm /testdir/checkfile [EMAIL PROTECTED]:/etc/audit > ausearch -k missingfiles ---- (lots of text here) Any suggestions on how to get it to do for a directory what it's doing for the file? I don't want to watch /tmp for adds/removes obviously; that would be silly. It is indeed a *directory* (regardless whether the directory contents show up) that I want to watch. Thanks, Brian LaMere
-- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
