Hi Aaron, On Jan 3, 2014, at 12:30 AM, Aaron Lewis <[email protected]> wrote:
> Hi, > > What's the difference between -F dir=XX and -w? > > -a exit,always -F arch=b64 -S open -F success=1 -F dir=/secure > > versus > > -w /secure > I'm new to audit but I did a search and after a while found an old thread. I think -w /path is essentially expanded to be -F dir=/path rule except they don't put the -F arch=b64. I guess architecture may not matter for open() but that's just a guess. Here it is, https://www.redhat.com/archives/linux-audit/2013-September/msg00057.html V/r, Bryan -- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
