Hi;<br><br>Ok. For example watch /root directory and subdirectories:<br><br>I can only -&gt; Scan /root directory recursive(find /root/ -type d); and add to audit.rules file all result lines.<br><br>This technic true?<br><br>
Best Regards<br><br><br><div class="gmail_quote">On Tue, Jul 20, 2010 at 3:24 PM, Steve Grubb <span dir="ltr">&lt;<a href="mailto:sgrubb@redhat.com">sgrubb@redhat.com</a>&gt;</span> wrote:<br><blockquote class="gmail_quote" style="margin: 0pt 0pt 0pt 0.8ex; border-left: 1px solid rgb(204, 204, 204); padding-left: 1ex;">
<div><div></div><div class="h5">On Tuesday, July 20, 2010 08:04:02 am List Quest wrote:<br>
&gt; I trying RHEL 4.x series auditing.<br>
&gt;<br>
&gt; Example:<br>
&gt; Audit version: audit-1.0.15-3.EL4<br>
&gt;<br>
&gt; -w /root -p w<br>
&gt;<br>
&gt; config line added to audit.rules; but this config watch only &quot;/root&quot;<br>
&gt; directory writes. Do not watch &quot;/root/Desktop&quot;, &quot;/root/test&quot;, etc...<br>
&gt;<br>
&gt; I can&#39;t recusive directory watch; like audit version audit-1.7.17-3<br>
&gt;<br>
&gt; How this?<br>
<br>
</div></div>That is correct. The first iteration of the audit system has some limitations<br>
that were fixed over time. For example, another thing you cannot do on the<br>
older kernels is add a key to syscall rules.<br>
<font color="#888888"><br>
-Steve<br>
</font></blockquote></div><br>