On Monday, May 09, 2016 01:40:58 PM Bhagwat, Shriniketan Manjunath wrote: > I am trying to monitor multiple files using Linux audit. In order to get > better performance, I am trying to reduce number of rules. If I specify > more than one path field as in below example I am getting "Invalid > argument". > > Examle1: > # auditctl -a always,exit -F arch=x86_64 -F path=/home/secpack/test.c -F > path=/home/secpack/test -S open Error sending add rule data request > (Invalid argument) > > # auditctl -a always,exit -F arch=x86_64 -F path=/home/secpack/test.c -F > dir=/tmp/ -S open Error sending add rule data request (Invalid argument) > > However, I am able to create a single rule to monitor multiple PIDs or UIDs > as below. > > Examle2: > # auditctl -a always,exit -F arch=x86_64 -F pid=3526 -F pid=3537 > # auditctl -a always,exit -F arch=x86_64 -F auid=0 -F auid=512 -F auid=1002
Which will produce no events due to the anding you mention below. Something cannot have both pid 3526 and 3537. > As per the auditctl man page, Build a rule field takes up to 64 fields on a > single command line. Each one must start with -F. Each field equation is > anded with each other to trigger an audit record. My question is, > 1. specify more than one path field as in example1 is valid? Nope. > 2. If not valid than how do I create single audit rule to monitor multiple > files/directory? They need to be separate rules. You can also recursively watch a directory with 'dir' > 3. If valid, then why "Invalid argument" is reported? > 4. To monitor 10 files, should 10 audit rules required? Possibly. > 5. if 10 rules are required, how to I optimize the rule for performance? The filesystem watches are very efficient. You can probably put a 100 watches on random files and you will not be able to see any performance hit unless they are actually triggered. Syscall rules on the otherhand do affect performance. > My next question is does Linux audit support regular expressions? No. The kernel pretty much wants things to be numbers rather than strings. > How do I create audit rule to monitor /var/log/*.log? -a always,exit -F dir=/var/log/audit/ -F perm=wa -F key=write-audit-log -Steve > # auditctl -a always,exit -F arch=x86_64 -F path=^/var/log/*.log$ -S open > Error sending add rule data request (Invalid argument) > > If my questions are already documented, please guide me to the > documentation. > > Regards, > Ketan -- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
