How does auditd perform on a rule like the following, assuming that /home/ is an nfs mount?
-a exit,always -F arch=b64 -S open -F dir=/home/ -F a2&2 -F success=1 -C euid!=obj_uid -k Does this become a watch rule (and to watch rules even work with nfs)? Assuming that the mount map for /home/ is giant (several K entries), does this run the risk of filling fsnotify (inotify?) watch lists? Cheers, peter -- Peter Moody Google 1.650.253.7306 Security Engineer pgp:0xC3410038 -- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
