Auditd - auditctl rule to monitor dir only (not all sub dir and files etc..) [closed]

Question

Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.

---

This question does not appear to be about programming within the scope defined in the help center.

Closed 7 years ago.

Improve this question

I am trying to use auditd to monitor changes to a directory. The problem is that when I setup a rule it does monitor the dir I specified but also all the sub dir and files making the monitor useless due to endless verbosity.

Here is the rule I setup:

auditctl -w /home/raven/public_html -p war -k raven-pubhtmlwatch

when I search the logs using

ausearch -k raven-pubhtmlwatch

I get thousands of lines of logs that list everything under public_html/

How can I limit the rule to changes on the directory specified only?

Thank you very much.

Answer 1

A watch is really a syscall rule in disguise. If you place a watch on a directory, auditctl will turn it into:

-a exit,always  -F dir=/home/raven/public_html -F perm=war -F key=raven-pubhtmlwatch

The -F dir field is recursive. However, if you just want to watch the directory entries, you can change that to -F path.

-a exit,always  -F path=/home/raven/public_html -F perm=war -F key=raven-pubhtmlwatch

This is not recursive and just watches the inode that the directory occupies.

I had to add the rule manually in: /etc/audit/audit.rules

then restart auditd using

/etc/init.d/auditd restart

now the rules are added and it works great! All credit goes to Steve @ redhat who answered my question in the audit mailing list: https://www.redhat.com/archives/linux-audit/2013-September/msg00057.html