On Wednesday 22 August 2007 10:17:37 Pete Briggs wrote:
Is there any way to put a watch on a directory,
Sort of...RHEL5.1 will have subtree auditing working in it. Al Viro also sent
the patch upstream and should land in 2.6.23 or 24.
so that an audit record will be generated if anyone cd's to that
directory.
Not for cd'ing into a directory. They have to attempt to read, write, change
an attribute, or execute a file.
I've tried things like:
-w /etc/audit/ -k ACCESS_AUDIT
That is how you would watch a directory with current audit package and kernel
with the subtree auditing patch.
but the rule never seems to get invoked. I'm running FC7 with
audit-1.5.3
They have to actually do something for it to trip...assuming you have a kernel
that supports it.
-Steve