RHEL 4 Audit

listreq · 08-02-2010, 07:25 AM

Hi All;

I trying RHEL 4.x series auditing.

Example:
Audit version: audit-1.0.15-3.EL4

-w /root -p w

config line added to audit.rules; but this config watch only "/root" directory writes. Do not watch "/root/Desktop", "/root/test", etc...

I can't recusive directory watch; like audit version audit-1.7.17-3

How this?

TB0ne · 08-03-2010, 09:12 AM

Quote:

Originally Posted by listreq

Hi All;
I trying RHEL 4.x series auditing.

Example:
Audit version: audit-1.0.15-3.EL4

-w /root -p w

config line added to audit.rules; but this config watch only "/root" directory writes. Do not watch "/root/Desktop", "/root/test", etc...

I can't recusive directory watch; like audit version audit-1.7.17-3
How this?

Your question is hard to read. But did you read the responses in your other thread, about the "maxdepth" flag, or how to set up the rules?? Also, since you're using RHEL, you can call RedHat for support, since you're paying for it, and they can walk you through this.