Security
cancel
Showing results for 
Search instead for 
Did you mean: 

how to know which files are flagged for auditing

SOLVED
Go to solution
dom kris
Frequent Advisor

how to know which files are flagged for auditing

Hi,

is there a cmd that list all filesd/dirs that have been tagged with the 'auditmask -x ' cmd?
When you activate auditing, you must choose a profile for the server. Based upon this profile, there are a number of files that are tagged. The list of these files in kept in /etc/sec/fs_objects. However, when I manually add a file, e.g. 'auditmask -x /.ssh/known_hosts', how can I keep track of all the files that are tagged.
I ran a 'find / -exec auditmask -q {} ;' to get an idea of all files that tagged (and there were a lot more files tagged then listed in the /etc/sec/fs_objects file) but this seems a bit heavy just to get a correct list.

any help much appreciated.

Kris
2 REPLIES
Ann Majeske
Honored Contributor
Solution

Re: how to know which files are flagged for auditing

Hi Kris,

The short answer is no :(

The audit information for each file is stored as an extended attribute in the property list for the file (see man proplist). So, there is no central location where this information is kept.

Ann
dom kris
Frequent Advisor

Re: how to know which files are flagged for auditing

Thanks for the info Ann