10

I am trying to use auditd to monitor changes to a directory. The problem is that when I setup a rule it does monitor the dir I specified but also all the sub dir and files making the monitor useless due to endless verbosity.

Here is the rule I setup:

auditctl -w /home/raven/public_html -p war -k raven-pubhtmlwatch

when I search the logs using

ausearch -k raven-pubhtmlwatch

I get thousands of lines of logs that list everything under public_html/

How can I limit the rule to changes on the directory specified only?

Thank you very much.

superuseroi
  • 1,298
  • 2
  • 15
  • 29
  • 1
    also asked here: http://superuser.com/q/650714/4714 – glenn jackman Sep 26 '13 at 16:30
  • This question appears to be off-topic because it was asked/answered on SuperUser - http://superuser.com/questions/650714/auditd-auditctl-rule-to-monitor-dir-only-not-all-sub-dir-and-files-etc – Taryn Jul 23 '14 at 13:31
  • @bluefeet at the time of asking this question I was not sure where to best post it. If you feel this is just redundant and not helpful to other users looking for this, then please remove it. Please also let me know any suggestion for the future. Thank you! – superuseroi Jul 23 '14 at 17:15

1 Answers1

20

A watch is really a syscall rule in disguise. If you place a watch on a directory, auditctl will turn it into:

-a exit,always  -F dir=/home/raven/public_html -F perm=war -F key=raven-pubhtmlwatch

The -F dir field is recursive. However, if you just want to watch the directory entries, you can change that to -F path.

-a exit,always  -F path=/home/raven/public_html -F perm=war -F key=raven-pubhtmlwatch

This is not recursive and just watches the inode that the directory occupies.

I had to add the rule manually in: /etc/audit/audit.rules

then restart auditd using 

/etc/init.d/auditd restart

now the rules are added and it works great! All credit goes to Steve @ redhat who answered my question in the audit mailing list: https://www.redhat.com/archives/linux-audit/2013-September/msg00057.html

superuseroi
  • 1,298
  • 2
  • 15
  • 29
  • I had to use this brilliant `auditctl` thing in a production server. I now worry that it might impact performance. Is it enough to do `auditctl -D` to remove all rules, or do I need to uninstall it or deactivate it in any way? Do you know? Thanks! – pgr Jun 17 '17 at 09:34
  • What sort of watch produces the syscall rule you provide? ie, I have a rule that just watches for attribute changes, ie it has the switch `-p a`. What syscall rule would that produce. Also, don't syscall rules need to use the `-S` switch to specify which syscall to watch? – Andrew Nov 30 '17 at 05:14
  • Not quite correct: if you place a watch on a directory without specifying any permissions, the default will be warx, not war. As an aside, note that auditctl will happily accept invalid files and directories to watch, as long as the invalid part is the leaf. Invalid paths that fail earlier than the leaf will raise an error. – Urhixidur Dec 06 '17 at 21:33