Auditd - auditctl rule to monitor dir only (not all sub dir and files etc..)

linux shell monitoring audit
17,711

A watch is really a syscall rule in disguise. If you place a watch on a directory, auditctl will turn it into:

-a exit,always  -F dir=/home/raven/public_html -F perm=war -F key=raven-pubhtmlwatch

The -F dir field is recursive. However, if you just want to watch the directory entries, you can change that to -F path.

-a exit,always  -F path=/home/raven/public_html -F perm=war -F key=raven-pubhtmlwatch

This is not recursive and just watches the inode that the directory occupies.

I had to add the rule manually in: /etc/audit/audit.rules

then restart auditd using 

/etc/init.d/auditd restart

now the rules are added and it works great! All credit goes to Steve @ redhat who answered my question in the audit mailing list: https://www.redhat.com/archives/linux-audit/2013-September/msg00057.html

Share:
17,711
superuseroi
Author by

superuseroi

Updated on July 24, 2022

Comments

  • superuseroi
    superuseroi almost 2 years

    I am trying to use auditd to monitor changes to a directory. The problem is that when I setup a rule it does monitor the dir I specified but also all the sub dir and files making the monitor useless due to endless verbosity.

    Here is the rule I setup:

    auditctl -w /home/raven/public_html -p war -k raven-pubhtmlwatch

    when I search the logs using

    ausearch -k raven-pubhtmlwatch

    I get thousands of lines of logs that list everything under public_html/

    How can I limit the rule to changes on the directory specified only?

    Thank you very much.

  • pgr
    pgr about 7 years
    I had to use this brilliant auditctl thing in a production server. I now worry that it might impact performance. Is it enough to do auditctl -D to remove all rules, or do I need to uninstall it or deactivate it in any way? Do you know? Thanks!
  • Andrew
    Andrew over 6 years
    What sort of watch produces the syscall rule you provide? ie, I have a rule that just watches for attribute changes, ie it has the switch -p a. What syscall rule would that produce. Also, don't syscall rules need to use the -S switch to specify which syscall to watch?
  • Urhixidur
    Urhixidur over 6 years
    Not quite correct: if you place a watch on a directory without specifying any permissions, the default will be warx, not war. As an aside, note that auditctl will happily accept invalid files and directories to watch, as long as the invalid part is the leaf. Invalid paths that fail earlier than the leaf will raise an error.

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

Flutter command not found inside a shell script
How do you run ShellScript on Windows?
Changing a hostname permanently in Ubuntu
How to remove dir background in `ls -color` output
Convert Bash Scripts To Shell
How to grep '---' in Linux? grep: unrecognized option '---'
why is this simple FOR LOOP in my Linux bash not working?
Rename multiple files in bash
Linux/Ubuntu set: Illegal option -o pipefail
Calling makefiles from Shell Script