Hello,
I am trying to monitor multiple files using Linux audit. In order to get better performance, I am trying to reduce number of rules.
If I specify more than one path field as in below example I am getting “Invalid argument”.
Examle1:
# auditctl -a always,exit -F arch=x86_64 -F path=/home/secpack/test.c -F path=/home/secpack/test -S open
Error sending add rule data request (Invalid argument)
# auditctl -a always,exit -F arch=x86_64 -F path=/home/secpack/test.c -F dir=/tmp/ -S open
Error sending add rule data request (Invalid argument)
However, I am able to create a single rule to monitor multiple PIDs or UIDs as below.
Examle2:
# auditctl -a always,exit -F arch=x86_64 -F pid=3526 -F pid=3537
# auditctl -a always,exit -F arch=x86_64 -F auid=0 -F auid=512 -F auid=1002
As per the auditctl man page, Build a rule field takes up to 64 fields on a single command line. Each one must start with -F. Each field equation is anded with each other to trigger an audit record.
My question is,
1. specify more than one path field as in example1 is valid?
2. If not valid than how do I create single audit rule to monitor multiple files/directory?
3. If valid, then why “Invalid argument” is reported?
4. To monitor 10 files, should 10 audit rules required?
5. if 10 rules are required, how to I optimize the rule for performance?
My next question is does Linux audit support regular expressions? How do I create audit rule to monitor /var/log/*.log?
# auditctl -a always,exit -F arch=x86_64 -F path=^/var/log/*.log$ -S open
Error sending add rule data request (Invalid argument)
If my questions are already documented, please guide me to the documentation.
Regards,
Ketan