Description of problem: Before kernel 2.6.24 there is no support for recursive directory level audit.If there are number of files and subdirectories in a parent directory and we want to add watch on all the files then we have to put watch on all the files and directories explicitly.Even userlevel support for this from 2.6.24 kernel is not available till now.Organisations does not frequently migrate from one kernel version to other frequently.Like if they are using 2.6.22 kernel,they will not switch immediately to 2.6.24. This patch will add the feature in userspace which will work for kernel versions before 2.6.24 and above.And will make the task easy. Version-Release number of selected component (if applicable): audit-1.7 How reproducible: Steps to Reproduce: 1.patch should be applied to auditctl.c file present in audit-1.7 component 2.then install audit-1.7 component 3.To add watch on files and subdirectories present in a directory,type the command below 4.auditctl -Z path/to/directory -p rwx Actual results: All files within the directory and subdirectory will be watched. Expected results: Additional info:
Created attachment 300021 [details] This patch add directory level audit with recursion feature in userspace
Hi...first, thanks for the patch. But I'm not sure this is a good idea since it does not provide complete coverage. IOW, if you have a rule for /etc and a new file goes into /etc and its edited, the rule will not pick it up since auditctl builds a list at the time it applies the rule instead of continuously. Its for this reason we opted to provide coverage in the kernel rather than user space. Also, auditctl -l takes the rules and reformats them to appear as close as possible to the rule that is in the audit.rules file. I don't think this patch can figure out what the original rule is unless its does a lot of extra processing.
I do appreciate the patch, but I don't think I can merge it with the current code base (see comment #2). Thank you for the offer, though.