Page 1 of 1
Auditd - watch a specific file type
Posted: 2014/07/29 14:24:09
by feluzde
Hey there,
I'm trying to watch a specific file type (.conf) with auditd, as follow:
Code: Select all
-w /home/myuser/*.conf -p aw -k mykey
My problem is that auditd does not accept "*" character. I can watch the whole directory but not only the .conf files.
Any thoughts ?
Thanks in advance.
Re: Auditd - watch a specific file type
Posted: 2014/08/25 17:59:51
by unspawn
//Bit stale but since it is a 0-reply thread...
feluzde wrote:My problem is that auditd does not accept "*" character. I can watch the whole directory but not only the .conf files.
Apparently auditctl doesn't support shell globbing then. Apart from the fact the practice of watching user-owned files seems questionable to me (as they can change it any time) you could feed the rules like:
Code: Select all
find /home/myuser/ -type f -iname \*.conf -print0|xargs -0 -iX auditctl -w 'X' -p aw -k mykey
Obviously this doesn't add files after the watch is set so bonus points if you wrap it in some script triggered with inotify.