A question about the directory watch in audit_tree.c in kernel

[Steve Grubb]

On Thursday 22 May 2008 08:28:13 LC Bruzenak wrote:
> Steve, do any of the syscall directory watches recursively audit to the
> bottom of a given directory tree?

Yes, any watch on a directory does. auditctl does the following 
transformations:

-w /etc - p wa

becomes:

-a always,exit -F dir=/etc -F perm=wa

while

-w /etc/shadow -p wa

becomes:

-a always,exit -F path=/etc/shadow -F perm=wa

Its not necessary to have -S as the perm field selects the appropriate 
syscalls based on the permissions you are interested in.


> I had kept many "-w" fields in place b/c the man page says they do not
> impact performance based on the number of rules, and I wanted the full
> subtree covered.

They are in fact transformed into the above which is the new API. The -w form 
is easier to write, but if you wanted to do something special like only see 
writes to a file caused by a certain range of auids or failures, then you 
have to use the new form of the rule.

-a always,exit -F path=/etc/shadow -F perm=wa -F exit=-EACCES -F auid>=500

> Should look to changing these watches to specific syscall watches in
> order to not get "legacied out" at some point?

No, they are the same thing. You only need to change if you wanted to do 
something extra.

-Steve