Auditing file access
Steve G
linux_4ever at yahoo.com
Tue Nov 15 15:00:47 UTC 2005
>I set up the following policy (local.te) for a stock RHEL AS 4 build
>(using the targeted policy source)
As Stephen said, RHEL4 has file auditing in it if you upgrade to U2. There is a
file /etc/audit.rules where you would put any audit rules that you want. There is
another file, capp.rules that is put in the audit package's docs dir that gives
you a sample CAPP configuration. In any event, to watch write's to passwd, you
would add the following line to /etc/audit.rules.
-w /etc/passwd -p w
If you put the watch to a directory, you will get updates to the directory
entries which may miss events.
Fedora does not have the ability to watch files at this point because the patch
was rejected due to overlapping hooks with inotify. A new patch will be sent
upstream soon so that fedora will have this ability at some point.
-Steve
__________________________________
Yahoo! Mail - PC Magazine Editors' Choice 2005
http://mail.yahoo.com
More information about the selinux
mailing list