Red Hat Bugzilla – Bug 440195
Feature request: Support for directory level audit with recursion before 2.6.24 kernel and above at userspace
Last modified: 2008-09-25 14:32:16 EDT
Description of problem:
Before kernel 2.6.24 there is no support for recursive directory level audit.If
there are number of files and subdirectories in a parent directory and we want
to add watch on all the files then we have to put watch on all the files and
directories explicitly.Even userlevel support for this from 2.6.24 kernel is
not available till now.Organisations does not frequently migrate from one kernel
version to other frequently.Like if they are using 2.6.22 kernel,they will not
switch immediately to 2.6.24. This patch will add the feature in userspace which
will work for kernel versions before 2.6.24 and above.And will make the task easy.
Version-Release number of selected component (if applicable):
Steps to Reproduce:
1.patch should be applied to auditctl.c file present in audit-1.7 component
2.then install audit-1.7 component
3.To add watch on files and subdirectories present in a directory,type the
4.auditctl -Z path/to/directory -p rwx
All files within the directory and subdirectory will be watched.
Created attachment 300021 [details]
This patch add directory level audit with recursion feature in userspace
Hi...first, thanks for the patch.
But I'm not sure this is a good idea since it does not provide complete
coverage. IOW, if you have a rule for /etc and a new file goes into /etc and its
edited, the rule will not pick it up since auditctl builds a list at the time it
applies the rule instead of continuously. Its for this reason we opted to
provide coverage in the kernel rather than user space.
Also, auditctl -l takes the rules and reformats them to appear as close as
possible to the rule that is in the audit.rules file. I don't think this patch
can figure out what the original rule is unless its does a lot of extra processing.
I do appreciate the patch, but I don't think I can merge it with the current code base (see comment #2). Thank you for the offer, though.