Replacing file watch (-w) with syscall
Steve Grubb
sgrubb at redhat.com
Fri May 28 15:26:09 UTC 2021
On Friday, May 28, 2021 8:34:45 AM EDT Andreas Hasenack wrote:
> I wanted to place a file watch on a file, but with an auid filter,
> i.e., I didn't want to log accesses done by a particular user. That is
> not possible with -w, so we have to use a syscall rule.
>
> The manpage has many examples of such conversions, so here is what I would
> use:
>
> -a always,exit -F auid!=andreas -F path=/etc/myfile -F perm=wa -F
> key=myfile-changed
>
> No syscall, because the manpage also says this for the perm filter:
> "You can use this without specifying a syscall and the kernel will
> select the syscalls that satisfy the permissions being requested."
>
> Right after loading that rule, though, auditctl shows it with "-S all":
>
> -a always,exit -S all -F auid!=1000 -F path=/etc/myfile -F perm=wa -F
> key=myfile-changed
>
> That had me a bit worried, in terms of performance impact, if "-S all"
> is true and all syscalls will be checked. Is this a terrible rule?
I think what you are seeing is auditctl trying to display something
meaningful. The syscalls are selected by the perm filter but it keeps this
information private and doesn't move it to the syscall mask. The watch does
the same thing you just don't see anything displayed when you list the rule.
-Steve
More information about the Linux-audit
mailing list