RedTedRedemption

Asked: 2020-12-24 23:31:28 +0800 CST2020-12-24 23:31:28 +0800 CST 2020-12-24 23:31:28 +0800 CST

selinux audit rule not logging anything

I am trying to audit a directory tree for read, write, and permissions change. I created the rule using auditctl -w <path> -k media-watch, but ausearch -k media-watch only shows the creation (or deletion for debugging) of the rule, and not file creation or changes within the specified directory or below it in the tree. Selinux is disabled, if that's relevant.

Why? How can I make sure file access/changes are logged for auditing?

1 Answers

Voted

Michael Hampton
2020-12-25T01:49:27+08:002020-12-25T01:49:27+08:00
The man page says that -w is deprecated, so I wouldn't be using it. I'd be using the current format for such a rule instead. For example:

auditctl -a always,exit -F dir=/path/to/dir/ -k media-watch
1

selinux audit rule not logging anything

Can you pass user/pass for HTTP Basic Authentication in URL parameters?

Ping a Specific Port

Check if port is open or closed on a Linux server?

How to automate SSH login with password?

How do I tell Git for Windows where to find my private RSA key?

What's the default superuser username/password for postgres after a new install?

What port does SFTP use?

Command line to list users in a Windows Active Directory group?

What is a Pem file and how does it differ from other OpenSSL Generated Key File Formats?

How to determine if a bash variable is empty?