Correct me if I am wrong, but in doing the auditctl -w /home, the only thing that is being audited is the inode entry for the directory itself.  You need to construct an explicit list of each file you want to watch.  You can do this rather easily with a combination of find and awk.

Regards.
Kevin

On Tue, 2008-05-20 at 09:11 +0800, zhangxiliang wrote: 
HI,
        When I use "auditctl -w /home" to watch a directory, nothing about the 
directory changed can be output.

       I found the "audit tree handle_event" in audit_tree.c in kernel. It 
implements as follows:

       static void handle_event(struct inotify_watch *watch, u32 wd, u32 mask,
                         u32 cookie, const char *dname, struct inode *inode)
{
	struct audit_chunk *chunk = container_of(watch, struct audit_chunk, watch);

	if (mask & IN_IGNORED) {
		evict_chunk(chunk);
		put_inotify_watch(watch);
	}
}

        In "handle_event", the mask can be "IN_MOVED_FROM", "IN_MOVED_TO", 
"IN_DELETE_SELF", "IN_IGNORED" and so on.
        Why it only deals with the mask  " IN_IGNORED" and ignores the other 
mask?

--
Regards
Zhang Xiliang
--------------------------------------------------
Zhang Xiliang
Development Dept.I
Nanjing Fujitsu Nanda Software Tech. Co., Ltd.(FNST) 8/F., Civil Defense 
Building, No.189 Guangzhou Road, Nanjing, 210029, China
TEL: +86+25-86630566-838
COINS: 79955-838
FAX: +86+25-83317685
MAIL: zhangxiliang@cn.fujitsu.com
--------------------------------------------------
This communication is for use by the intended recipient(s) only and may 
contain information that is privileged, confidential and exempt from 
disclosure under applicable law. If you are not an intended recipient of this 
communication, you are hereby notified that any dissemination, distribution or 
copying hereof is strictly prohibited.  If you have received this 
communication in error, please notify me by reply e-mail, permanently delete 
this communication from your system, and destroy any hard copies you may have 
printed.




--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit