audit_add_watch - Linux

Overview

audit_add_watch is a command used to add a list of files or directories to the Linux Audit Framework’s watch list, enabling the auditing of events related to these items. It is primarily used in system hardening and intrusion detection scenarios.

Syntax

audit_add_watch [options] [<path>...]

Options/Flags

  • -a, –append: Append entries to the watch list instead of replacing it.
  • -c, –console: Enable watching of events on the console.
  • -f, –file: Enable watching of events on the specified files or directories.
  • -i, –immutable: Mark the watch list as immutable, preventing further modifications.
  • -k, –kmod: Enable watching of kernel module events.
  • -m, –mount: Enable watching of mount events.
  • -n, –no-notify: Disable sending of audit messages upon events.
  • -o, –owner: Enable watching of events related to the specified user.
  • -p, –path: Watch for events occurring within the specified path.
  • -r, –recursive: Enable recursive watching of subdirectories.
  • -s, –session: Enable watching of events related to the specified session.
  • -t, –time: Enable watching of events based on time criteria.
  • -u, –uid: Enable watching of events related to the specified user ID.
  • -v, –verbose: Enable verbose output.
  • -x, –execute: Enable watching of events related to the specified executable.

Examples

Simple File Watch

audit_add_watch -f /etc/passwd

This command adds the /etc/passwd file to the watch list, auditing any events related to it.

Recursive Directory Watch

audit_add_watch -r /home/user

This command adds the /home/user directory and all its subdirectories to the watch list, auditing all events occurring within that hierarchy.

Common Issues

Permission Denied

If the command fails with a "Permission denied" error, ensure that the user running the command has sufficient permissions to access the specified files or directories.

Watch List Full

If the watch list is full, the command will fail with an error. Extend the watch list size using the -s option to resolve this issue.

Integration

audit_add_watch can be combined with other Linux commands for advanced auditing scenarios. For example:

  • Pipe output to audit2allow to generate SELinux policies based on the watch list: 
    audit_add_watch -f /etc/passwd | audit2allow -M my_policy
  • Use with auditctl to modify the audit rules: 
    auditctl -w /etc/passwd -p rwxa -k passwd_access

Related Commands

  • audit2allow: Generates SELinux policies from audit watch lists.
  • auditctl: Controls the Linux Audit Framework.
  • augenrules: Generates audit rules based on file permissions.