Hi; Ok. For example watch /root directory and subdirectories:
I can only -> Scan /root directory recursive(find /root/ -type d); and add to audit.rules file all result lines. This technic true? Best Regards On Tue, Jul 20, 2010 at 3:24 PM, Steve Grubb <[email protected]> wrote: > On Tuesday, July 20, 2010 08:04:02 am List Quest wrote: > > I trying RHEL 4.x series auditing. > > > > Example: > > Audit version: audit-1.0.15-3.EL4 > > > > -w /root -p w > > > > config line added to audit.rules; but this config watch only "/root" > > directory writes. Do not watch "/root/Desktop", "/root/test", etc... > > > > I can't recusive directory watch; like audit version audit-1.7.17-3 > > > > How this? > > That is correct. The first iteration of the audit system has some > limitations > that were fixed over time. For example, another thing you cannot do on the > older kernels is add a key to syscall rules. > > -Steve >
-- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
