audit_add_watch - Linux
Overview
audit_add_watch is a command used to add a list of files or directories to the Linux Audit Framework’s watch list, enabling the auditing of events related to these items. It is primarily used in system hardening and intrusion detection scenarios.
Syntax
audit_add_watch [options] [<path>...]
Options/Flags
- -a, –append: Append entries to the watch list instead of replacing it.
- -c, –console: Enable watching of events on the console.
- -f, –file: Enable watching of events on the specified files or directories.
- -i, –immutable: Mark the watch list as immutable, preventing further modifications.
- -k, –kmod: Enable watching of kernel module events.
- -m, –mount: Enable watching of mount events.
- -n, –no-notify: Disable sending of audit messages upon events.
- -o, –owner: Enable watching of events related to the specified user.
- -p, –path: Watch for events occurring within the specified path.
- -r, –recursive: Enable recursive watching of subdirectories.
- -s, –session: Enable watching of events related to the specified session.
- -t, –time: Enable watching of events based on time criteria.
- -u, –uid: Enable watching of events related to the specified user ID.
- -v, –verbose: Enable verbose output.
- -x, –execute: Enable watching of events related to the specified executable.
Examples
Simple File Watch
audit_add_watch -f /etc/passwd
This command adds the /etc/passwd
file to the watch list, auditing any events related to it.
Recursive Directory Watch
audit_add_watch -r /home/user
This command adds the /home/user
directory and all its subdirectories to the watch list, auditing all events occurring within that hierarchy.
Common Issues
Permission Denied
If the command fails with a "Permission denied" error, ensure that the user running the command has sufficient permissions to access the specified files or directories.
Watch List Full
If the watch list is full, the command will fail with an error. Extend the watch list size using the -s
option to resolve this issue.
Integration
audit_add_watch can be combined with other Linux commands for advanced auditing scenarios. For example:
- Pipe output to
audit2allow
to generate SELinux policies based on the watch list:audit_add_watch -f /etc/passwd | audit2allow -M my_policy
- Use with
auditctl
to modify the audit rules:auditctl -w /etc/passwd -p rwxa -k passwd_access
Related Commands
- audit2allow: Generates SELinux policies from audit watch lists.
- auditctl: Controls the Linux Audit Framework.
- augenrules: Generates audit rules based on file permissions.