Adding multiple watch rules on same path

Loulwa Salem loulwas at us.ibm.com
Tue Aug 22 15:32:45 UTC 2006 

Hi Steve,
As I was running some of our watch tests, I noticed the following:
You can add multiple watches on the same path if you specify different filter 
key values. That doesn't make sense to me, so I wanted to check if that is an 
intended behavior? and if so why?

Also, since you can have multiple watches on same path, it is no longer 
sufficient to do a "-W <path>" to remove the watch, now you have to specify 
which watch to remove by using the "-k key" as well.
Is this is how auditctl will remain to function, because we need to make changes 
to our functions accordingly

I am on the latest rawhide kernel(2.6.17-1.2573.fc6) and audit-1.2.5-8

[root~]# auditctl -w /tmp/file2
[root~]# auditctl -l
LIST_RULES: exit,always watch=/tmp/file2 
syscall=open,truncate,ftruncate,rename,mkdir,rmdir,creat,link,unlink,symlink,
	chmod,fchmod,chown,fchown,lchown

[root~]# auditctl -w /tmp/file2 -k first-key
[root~]# auditctl -l
LIST_RULES: exit,always watch=/tmp/file2 key=first-key 
syscall=open,truncate,ftruncate,rename,mkdir,rmdir,creat,link,unlink,symlink,
	chmod,fchmod,chown,fchown,lchown
LIST_RULES: exit,always watch=/tmp/file2 
syscall=open,truncate,ftruncate,rename,mkdir,rmdir,creat,link,unlink,symlink,
	chmod,fchmod,chown,fchown,lchown

[root~]# auditctl -w /tmp/file2 -k second-key
[root~]# auditctl -l
LIST_RULES: exit,always watch=/tmp/file2 key=first-key 
syscall=open,truncate,ftruncate,rename,mkdir,rmdir,creat,link,unlink,symlink,
	chmod,fchmod,chown,fchown,lchown
LIST_RULES: exit,always watch=/tmp/file2 key=second-key 
syscall=open,truncate,ftruncate,rename,mkdir,rmdir,creat,link,unlink,symlink,
	chmod,fchmod,chown,fchown,lchown
LIST_RULES: exit,always watch=/tmp/file2 
syscall=open,truncate,ftruncate,rename,mkdir,rmdir,creat,link,unlink,symlink,
	chmod,fchmod,chown,fchown,lchown

[root~]# auditctl -W /tmp/file2
[root~]# auditctl -l
LIST_RULES: exit,always watch=/tmp/file2 key=first-key 
syscall=open,truncate,ftruncate,rename,mkdir,rmdir,creat,link,unlink,symlink,
	chmod,fchmod,chown,fchown,lchown
LIST_RULES: exit,always watch=/tmp/file2 key=second-key 
syscall=open,truncate,ftruncate,rename,mkdir,rmdir,creat,link,unlink,symlink,
	chmod,fchmod,chown,fchown,lchown

[root~]# auditctl -W /tmp/file2
Error sending delete rule request (No rule matches)
[root~]# auditctl -l
LIST_RULES: exit,always watch=/tmp/file2 key=first-key 
syscall=open,truncate,ftruncate,rename,mkdir,rmdir,creat,link,unlink,symlink,
	chmod,fchmod,chown,fchown,lchown
LIST_RULES: exit,always watch=/tmp/file2 key=second-key 
syscall=open,truncate,ftruncate,rename,mkdir,rmdir,creat,link,unlink,symlink,
	chmod,fchmod,chown,fchown,lchown

-Loulwa

More information about the Linux-audit mailing list