Quote:
Originally Posted by unSpawn
Welcome to LQ. Hope you like it here.
Did you read man 'audit.rules'?
Have you checked CAPP / NISPOM / et cetera rulesets available on your system to get an idea about how to write rules?
What have rules you tried?
Can you post those examples?
Did you read 'man auditctl'? (The "-w path" explanation wrt inserting watches at the top level directory should be a hint .)
|
Thank you for your delicacy.
Example, i write this rule to audit.rules file; with -w parameter:
-w /home -p w -k WriteProcess
-w /home -p r -k ReadProcess
This is running, but this technic require write all directory names(listed all top directory names from top level root directory).
Example: /home, /etc, /opt ...
But yet, i need this directory names automatically watch with audit daemon. If adding directory to system, this directory not watching(if not adding manually).
e.g. -> user added directory to /testing(mkdir /testing). At work, not watch write permissions, because not defined to audit.rules file.
I have try -W parameter, for remove a watch from watching list after watch root directory with -w. But, not working?
-w / -p w
-W /proc
Quote:
man auditctl:
-W path
Remove a watch for the file system object at path.
|
Hope i explain to.
Thank you.
// EDIT: Sorry for my bad english.