Sycall Rules vs Watch Rules
Amjad Gabbar
amjadgabbar11 at gmail.com
Wed Sep 6 15:56:11 UTC 2023
Hi,
I have done some analysis and digging into how both the watch rules and
syscall rules are translated.
>From my understanding, in terms of logging, both the below rules are
similar. There is no difference in either of the rules.
1. -w /etc -p wa -k ETC_WATCH
2. -a always,exit -F arch=b64 -S <all syscalls part of the write and attr
classes> -F dir=/etc -F perm=wa -k ETC_WATCH
The write and attr classes consist of syscalls in
“include/asm-generic/audit_*.h“.
The perm flag is needed in the second case for including open/openat
syscalls which are not a part of the write and attr syscall list.
I'd like to verify if what I mentioned earlier is accurate, and I have an
additional point but depends on whether this is accurate.
Ali
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/linux-audit/attachments/20230906/b6ebdf6b/attachment.htm>
More information about the Linux-audit
mailing list