Auditd - watch a specific file type

Support for security such as Firewalls and securing linux
Post Reply
feluzde
Posts: 1
Joined: 2014/07/29 14:16:20

Auditd - watch a specific file type

Post by feluzde » 2014/07/29 14:24:09

Hey there,

I'm trying to watch a specific file type (.conf) with auditd, as follow:

Code: Select all

-w /home/myuser/*.conf -p aw -k mykey 
My problem is that auditd does not accept "*" character. I can watch the whole directory but not only the .conf files.
Any thoughts ?

Thanks in advance.

unspawn
Posts: 172
Joined: 2006/12/11 12:28:52

Re: Auditd - watch a specific file type

Post by unspawn » 2014/08/25 17:59:51

//Bit stale but since it is a 0-reply thread...
feluzde wrote:My problem is that auditd does not accept "*" character. I can watch the whole directory but not only the .conf files.
Apparently auditctl doesn't support shell globbing then. Apart from the fact the practice of watching user-owned files seems questionable to me (as they can change it any time) you could feed the rules like:

Code: Select all

find /home/myuser/ -type f -iname \*.conf -print0|xargs -0 -iX auditctl -w 'X' -p aw -k mykey 
Obviously this doesn't add files after the watch is set so bonus points if you wrap it in some script triggered with inotify.

Post Reply

Return to “CentOS 6 - Security Support”