All geek questions in one place

Auditd - auditctl rule for monitoring only dir (not all sub files and files, etc.)

I am trying to use auditd to track directory changes. The problem is that when I configure the rule, it controls the directory I specified, as well as all the auxiliary files and files that make the monitor useless because of the endless verbosity.

Here is the rule that I set:

auditctl -w /home/raven/public_html -p war -k raven-pubhtmlwatch

when searching magazines using

 ausearch -k raven-pubhtmlwatch

I get thousands of log lines that list everything under public_html /

How to restrict a rule to changes only in the specified directory?

Thank you very much.

+6
source share
1 answer

A watch is really a syscall disguised rule. If you put the clock on a directory, auditctl will turn it into:

 -a exit,always -F dir=/home/raven/public_html -F perm=war -F key=raven-pubhtmlwatch

The -F dir field is recursive. However, if you just want to look at the recording directory, you can change this to the -F path.

 -a exit,always -F path=/home/raven/public_html -F perm=war -F key=raven-pubhtmlwatch

This is not recursive and just looks at the inode that the directory occupies.

I had to add the rule manually: /etc/audit/audit.rules

then restart auditd using

 /etc/init.d/auditd restart

now the rules are being added and it works great! All credit belongs to Steve @redhat, who answered my question on the audit mailing list: https://www.redhat.com/archives/linux-audit/2013-September/msg00057.html

+11
source

Source: https://habr.com/ru/post/954690/

More articles:


All Articles