<div dir="auto">Hi,<div dir="auto"><br></div><div dir="auto">I have done some analysis and digging into how both the watch rules and syscall rules are translated.</div><div dir="auto"><br></div><div dir="auto">From my understanding, in terms of logging, both the below rules are similar. There is no difference in either of the rules.</div><div dir="auto"><br></div><div dir="auto">1. -w /etc -p wa -k ETC_WATCH</div><div dir="auto"><br></div><div dir="auto"><div dir="auto"><span style="font-family:-apple-system,"Helvetica Neue";font-size:16px;font-style:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:1px;text-decoration:none;float:none;display:inline!important;color:rgb(49,49,49)">2. -a always,exit -F arch=b64 -S <all syscalls part of the write and attr classes> -F dir=/etc  -F perm=wa -k ETC_WATCH</span></div><div dir="auto"><span style="font-family:-apple-system,"Helvetica Neue";font-size:16px;font-style:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:1px;text-decoration:none;float:none;display:inline!important;color:rgb(49,49,49)"><br></span></div><div dir="auto"><span style="font-family:-apple-system,"Helvetica Neue";font-size:16px;font-style:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:1px;text-decoration:none;float:none;display:inline!important;color:rgb(49,49,49)">The write and attr classes consist of syscalls in <div dir="auto" style="font-family:-apple-system,"Helvetica Neue""><span style="font-family:-apple-system,"Helvetica Neue";font-size:16px;font-style:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:1px;text-decoration:none;float:none;display:inline!important;color:rgb(49,49,49)">“include/asm-generic/audit_*.h“.</span></div><div dir="auto" style="font-family:-apple-system,"Helvetica Neue""><span style="font-family:-apple-system,"Helvetica Neue";font-size:16px;font-style:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:1px;text-decoration:none;float:none;display:inline!important;color:rgb(49,49,49)"><br></span></div><div dir="auto" style="font-family:-apple-system,"Helvetica Neue""><span style="font-family:-apple-system,"Helvetica Neue";font-size:16px;font-style:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:1px;text-decoration:none;float:none;display:inline!important;color:rgb(49,49,49)"> The perm flag is needed in the second case for including open/openat syscalls which are not a part of the write and attr syscall list.</span></div><div dir="auto" style="font-family:-apple-system,"Helvetica Neue""><span style="font-family:-apple-system,"Helvetica Neue";font-size:16px;font-style:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:1px;text-decoration:none;float:none;display:inline!important;color:rgb(49,49,49)"><br></span></div><div dir="auto" style="font-family:-apple-system,"Helvetica Neue""><div style="font-family:-apple-system,"Helvetica Neue"" dir="auto">I'd like to verify if what I mentioned earlier is accurate, and I have an additional point but depends on whether this is accurate.</div><div style="font-family:-apple-system,"Helvetica Neue"" dir="auto"><br></div><div style="font-family:-apple-system,"Helvetica Neue"" dir="auto">Ali</div><br></div></span></div></div>
</div>