What's the difference between -F dir=XX and -w? - Linux-audit - Linux-Audit List Archives

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

2004

What's the difference between -F dir=XX and -w?

Log rotation issue

ausearch

Aaron Lewis

Friday, 3 January 2014 Fri, 3 Jan '14

12:30 a.m.

Hi, What's the difference between -F dir=XX and -w? -a exit,always -F arch=b64 -S open -F success=1 -F dir=/secure versus -w /secure -- Best Regards, Aaron Lewis - PGP: 0x13714D33 - http://pgp.mit.edu/ Finger Print: 9F67 391B B770 8FF6 99DC D92D 87F6 2602 1371 4D33

Reply

Show replies by date

Bryan Harris

Friday, 3 January Fri, 3 Jan

2:12 a.m.

Hi Aaron, On Jan 3, 2014, at 12:30 AM, Aaron Lewis <the.warl0ck.1989(a)gmail.com> wrote:

Hi, What's the difference between -F dir=XX and -w? -a exit,always -F arch=b64 -S open -F success=1 -F dir=/secure versus -w /secure

I'm new to audit but I did a search and after a while found an old thread. I think -w /path is essentially expanded to be -F dir=/path rule except they don't put the -F arch=b64. I guess architecture may not matter for open() but that's just a guess. Here it is, https://www.redhat.com/archives/linux-audit/2013-September/msg00057.html V/r, Bryan

Reply

Steve Grubb

8:18 a.m.

On Fri, 3 Jan 2014 14:30:58 +0800 Aaron Lewis <the.warl0ck.1989(a)gmail.com> wrote:

What's the difference between -F dir=XX and -w? -a exit,always -F arch=b64 -S open -F success=1 -F dir=/secure versus -w /secure

The '-w' option is for backwards compatibility with the original (RHEL4) implementation. What it does it detect what the target is (file or dir) and then expands into -F path= or -F dir= depending on what the target was. '-w' should be considered deprecated and is limited in its capabilities. This is explained in more detail on the auditctl man page. -Steve

Reply

4006

days inactive

4006

days old

linux-audit@lists.linux-audit.osci.io

Manage subscription

2 comments

3 participants

tags (0)

participants (3)

Aaron Lewis
Bryan Harris
Steve Grubb