Auditd - auditctl rule to monitor dir only (not all sub dir and files etc..)

superuseroi picture superuseroi · Sep 26, 2013 · Viewed 15.9k times · Source

I am trying to use auditd to monitor changes to a directory. The problem is that when I setup a rule it does monitor the dir I specified but also all the sub dir and files making the monitor useless due to endless verbosity.

Here is the rule I setup:

auditctl -w /home/raven/public_html -p war -k raven-pubhtmlwatch

when I search the logs using

ausearch -k raven-pubhtmlwatch

I get thousands of lines of logs that list everything under public_html/

How can I limit the rule to changes on the directory specified only?

Thank you very much.

Answer

superuseroi picture superuseroi · Sep 27, 2013

A watch is really a syscall rule in disguise. If you place a watch on a directory, auditctl will turn it into:

-a exit,always  -F dir=/home/raven/public_html -F perm=war -F key=raven-pubhtmlwatch

The -F dir field is recursive. However, if you just want to watch the directory entries, you can change that to -F path.

-a exit,always  -F path=/home/raven/public_html -F perm=war -F key=raven-pubhtmlwatch

This is not recursive and just watches the inode that the directory occupies.

I had to add the rule manually in: /etc/audit/audit.rules

then restart auditd using

/etc/init.d/auditd restart

now the rules are added and it works great! All credit goes to Steve @ redhat who answered my question in the audit mailing list: https://www.redhat.com/archives/linux-audit/2013-September/msg00057.html