Hello,

 

I am trying to monitor multiple files using Linux audit. In order to get better performance, I am trying to reduce number of rules.

If I specify more than one path field  as in below example I am getting “Invalid argument”.

 

Examle1:

# auditctl -a always,exit -F arch=x86_64 -F path=/home/secpack/test.c -F path=/home/secpack/test -S open

Error sending add rule data request (Invalid argument)

# auditctl -a always,exit -F arch=x86_64 -F path=/home/secpack/test.c -F dir=/tmp/ -S open

Error sending add rule data request (Invalid argument)

 

However, I am able to create a single rule to monitor multiple PIDs or UIDs as below.

 

Examle2:

# auditctl -a always,exit -F arch=x86_64 -F pid=3526 -F pid=3537

# auditctl -a always,exit -F arch=x86_64 -F auid=0 -F auid=512 -F auid=1002

 

As per the auditctl man page, Build a rule field takes up to 64 fields on a single command line. Each one must start with -F. Each field  equation  is  anded  with  each other  to  trigger  an audit record.

My question is,

1. specify more than one path field as in example1 is valid?

2. If not valid than how do I create single audit rule to monitor multiple files/directory?

3. If valid, then why “Invalid argument” is reported?

4. To monitor 10 files, should 10 audit rules required?

5.  if 10 rules are required, how to I optimize the rule for performance?

 

My next question is does Linux audit support regular expressions? How do I create audit rule to monitor /var/log/*.log?

 

# auditctl -a always,exit -F arch=x86_64 -F path=^/var/log/*.log$  -S open

Error sending add rule data request (Invalid argument)

 

If my questions are already documented, please guide me to the documentation.

 

Regards,

Ketan