audit on remove
This is a discussion on audit on remove within the AIX Operating System forums, part of the Unix Operating Systems category; --> Hi, I would like to monitor deleting of file in specific filesystem. I remove "root = general" from /etc/security/audit/config, ...
| |||||||
| FAQ | Members List | Calendar | Search | Today's Posts | Mark Forums Read |
01-16-2008, 07:31 AM
| ||||
| ||||
 audit on remove Hi, I would like to monitor deleting of file in specific filesystem. I remove "root = general" from /etc/security/audit/config, and remove everything from /etc/security/audit/objects and add: /home/user/dir_to_monitor: w = "FILE_Unlink" r = "FILE_Unlink" x = "FILE_Unlink" I get what I want, but log is full of other record ( FS_Chdir, FS_Mkdir, CRON_Start, ... ) for other directories. Is there some default or minimal set of records that audit write? I need to have minimum number of records because this is directory with large number of files, and log will be huge. Regards      |
|
01-16-2008, 07:31 AM
| ||||
| ||||
| Re: audit on remove On Jan 14, 10:34 am, Kralj <tomis...@gmail.com> wrote: more info found: I removed everything from "classes:" and "users:" in /etc/security/ audit/config, and get rid off all extra lines from audit log, but I loose info about file name that was deleted. So I need config that have all possible info for targeted directory, but none for all else. Thanks |
Linear Mode
