I am trying to use auditd to monitor changes to a directory. The problem is that when I setup a rule it does monitor the dir I specified but also all the sub dir and files making the monitor useless due to endless verbosity.
Here is the rule I setup:
auditctl -w /home/raven/public_html -p war -k raven-pubhtmlwatch
when I search the logs using
ausearch -k raven-pubhtmlwatch
I get thousands of lines of logs that list everything under public_html/
How can I limit the rule to changes on the directory specified only?
Thank you very much.
A watch is really a syscall rule in disguise. If you place a watch on a directory, auditctl will turn it into:
-a exit,always -F dir=/home/raven/public_html -F perm=war -F key=raven-pubhtmlwatch
The -F dir field is recursive. However, if you just want to watch the directory entries, you can change that to -F path.
-a exit,always -F path=/home/raven/public_html -F perm=war -F key=raven-pubhtmlwatch
This is not recursive and just watches the inode that the directory occupies.
I had to add the rule manually in: /etc/audit/audit.rules
then restart auditd using
/etc/init.d/auditd restart
now the rules are added and it works great! All credit goes to Steve @ redhat who answered my question in the audit mailing list: https://www.redhat.com/archives/linux-audit/2013-September/msg00057.html