Re: A question about the directory watch in audit_tree.c in kernel
On Wed, 2008-05-21 at 11:03 -0400, Steve Grubb wrote:
...
Also, note that -w rules are legacy for compatibility with RHEL4 kernel. They
are used to express simple ideas like watch this file or directory subtree.
If you want tight control over what you are auditing, you should use the
syscall audit format where you can express more details about what you wanted
to trigger on. IOW, you can express that you want changes to a directory
itself rather than the files in the directory.
-Steve
Steve, do any of the syscall directory watches recursively audit to the
bottom of a given directory tree?
I had kept many "-w" fields in place b/c the man page says they do not
impact performance based on the number of rules, and I wanted the full
subtree covered.
Should look to changing these watches to specific syscall watches in
order to not get "legacied out" at some point?
Thx,
LCB.
--
LC (Lenny) Bruzenak
lenny(a)magitekltd.com