Re: CAPP mode for audit
Steve Grubb wrote: [Wed Aug 10 2005, 04:09:35PM EDT]
On Wednesday 10 August 2005 15:58, Amy Griffis wrote:
> I think it would help if audit had a finer-grained mechanism for
> specifying events to watch for.
Please elaborate. I am mulling over the next specs. Maybe an example
usage, too?
A few weeks ago in #audit, Tim, Rob (_blah_) and I discussed using the
inotify events. For example, from inotify.h:
/* the following are legal, implemented events that user-space can watch for */
#define IN_ACCESS 0x00000001 /* File was accessed */
#define IN_MODIFY 0x00000002 /* File was modified */
#define IN_ATTRIB 0x00000004 /* Metadata changed */
#define IN_CLOSE_WRITE 0x00000008 /* Writtable file was closed */
#define IN_CLOSE_NOWRITE 0x00000010 /* Unwrittable file closed */
#define IN_OPEN 0x00000020 /* File was opened */
#define IN_MOVED_FROM 0x00000040 /* File was moved from X */
#define IN_MOVED_TO 0x00000080 /* File was moved to Y */
#define IN_CREATE 0x00000100 /* Subfile was created */
#define IN_DELETE 0x00000200 /* Subfile was deleted */
#define IN_DELETE_SELF 0x00000400 /* Self was deleted */
/* helper events */
#define IN_CLOSE (IN_CLOSE_WRITE | IN_CLOSE_NOWRITE) /* close */
#define IN_MOVE (IN_MOVED_FROM | IN_MOVED_TO) /* moves */
#define IN_ALL_EVENTS (IN_ACCESS | IN_MODIFY | IN_ATTRIB | IN_CLOSE_WRITE | \
IN_CLOSE_NOWRITE | IN_OPEN | IN_MOVED_FROM | \
IN_MOVED_TO | IN_DELETE | IN_CREATE | IN_DELETE_SELF)
I suppose an example might be to use -E for event (as -e is already
taken). There are too many possibilities to practically use a single
character "mask", so you'd probably have to do something like:
-E access -E modify -E move
or
-E all
Any other ideas?
Amy