Steve, In the response below you mention using mount --bind along with exit code logging to track a directory structure. I'm not familiar with --bind option, but according to the man page, it looks like a way to mount a file system in a second place (similar to MS-DOS "subst" command). While this is helpful for perhaps replacing a symlink with a "link" that can't be deleted, I don't understand how you would use this for auditing purposes. Could you elaborate? Thanks! -Dan Thomas Message: 3 Date: Tue, 2 Jan 2007 16:22:22 -0500 From: Steve Grubb <sgrubb(a)redhat.com&gt; Subject: Re: Audit rule questions To: linux-audit(a)redhat.com Cc: "Fulda, Paul \(Mission Systems\)" <Paul.Fulda(a)ngc.com&gt; Message-ID: <200701021622.22477.sgrubb(a)redhat.com&gt; Content-Type: text/plain; charset="utf-8" On Tuesday 02 January 2007 15:49, Fulda, Paul (Mission Systems) wrote: You can probably use mount --bind option to get this with syscall auditing rules rather than watches. Then use devmajor/minor (-a always,exit -S open -F devmajor=0x1F -F devminor=3 ). No. This area is very tricky to do right from an implementation point of view. Some things to consider: 1) What should the behavior be when subtrees get moved? IOW, we watch /opt/tmp/test/* and /opt/tmp gets renamed to /opt/tmp2 ? 2) What should the behavior be when subtrees get moved into the watched subtree? IOW, we watch /opt/temp/test/* and someone does a mv /opt/temp/test2 /opt/temp/test/test2 3) Should it catch the access via hardlink from outside the watched tree? 4) What should the behavior be if there is a mount point in the watched tree? 5) What should happen when we do mount --move to or from that subtree? 6) What should happen when mount --move the parent of subtree itself? 7) What should happen if tree is mounted elsewhere? (e.g. in chroot jail) 8) What should the behavior be if the directory is polyinstantiated? IOW, we watch /tmp/* and /tmp is polyinstantiated on a per user & per level basis. In RHEL4 using: using watches - no, using syscall audit rules - yes. RHEL5/2.6.19 is more flexible and can let you get better control over what is audited with watches. -Steve