A question about the directory watch in audit_tree.c in kernel
Steve Grubb
sgrubb at redhat.com
Thu May 22 13:09:21 UTC 2008
On Thursday 22 May 2008 08:28:13 LC Bruzenak wrote:
> Steve, do any of the syscall directory watches recursively audit to the
> bottom of a given directory tree?
Yes, any watch on a directory does. auditctl does the following
transformations:
-w /etc - p wa
becomes:
-a always,exit -F dir=/etc -F perm=wa
while
-w /etc/shadow -p wa
becomes:
-a always,exit -F path=/etc/shadow -F perm=wa
Its not necessary to have -S as the perm field selects the appropriate
syscalls based on the permissions you are interested in.
> I had kept many "-w" fields in place b/c the man page says they do not
> impact performance based on the number of rules, and I wanted the full
> subtree covered.
They are in fact transformed into the above which is the new API. The -w form
is easier to write, but if you wanted to do something special like only see
writes to a file caused by a certain range of auids or failures, then you
have to use the new form of the rule.
-a always,exit -F path=/etc/shadow -F perm=wa -F exit=-EACCES -F auid>=500
> Should look to changing these watches to specific syscall watches in
> order to not get "legacied out" at some point?
No, they are the same thing. You only need to change if you wanted to do
something extra.
-Steve
More information about the Linux-audit
mailing list