Hi Steve,
As I was running some of our watch tests, I noticed the following:
You can add multiple watches on the same path if you specify different filter
key values. That doesn't make sense to me, so I wanted to check if that is an
intended behavior? and if so why?
Also, since you can have multiple watches on same path, it is no longer
sufficient to do a "-W <path>" to remove the watch, now you have to
specify
which watch to remove by using the "-k key" as well.
Is this is how auditctl will remain to function, because we need to make changes
to our functions accordingly
I am on the latest rawhide kernel(2.6.17-1.2573.fc6) and audit-1.2.5-8
[root~]# auditctl -w /tmp/file2
[root~]# auditctl -l
LIST_RULES: exit,always watch=/tmp/file2
syscall=open,truncate,ftruncate,rename,mkdir,rmdir,creat,link,unlink,symlink,
chmod,fchmod,chown,fchown,lchown
[root~]# auditctl -w /tmp/file2 -k first-key
[root~]# auditctl -l
LIST_RULES: exit,always watch=/tmp/file2 key=first-key
syscall=open,truncate,ftruncate,rename,mkdir,rmdir,creat,link,unlink,symlink,
chmod,fchmod,chown,fchown,lchown
LIST_RULES: exit,always watch=/tmp/file2
syscall=open,truncate,ftruncate,rename,mkdir,rmdir,creat,link,unlink,symlink,
chmod,fchmod,chown,fchown,lchown
[root~]# auditctl -w /tmp/file2 -k second-key
[root~]# auditctl -l
LIST_RULES: exit,always watch=/tmp/file2 key=first-key
syscall=open,truncate,ftruncate,rename,mkdir,rmdir,creat,link,unlink,symlink,
chmod,fchmod,chown,fchown,lchown
LIST_RULES: exit,always watch=/tmp/file2 key=second-key
syscall=open,truncate,ftruncate,rename,mkdir,rmdir,creat,link,unlink,symlink,
chmod,fchmod,chown,fchown,lchown
LIST_RULES: exit,always watch=/tmp/file2
syscall=open,truncate,ftruncate,rename,mkdir,rmdir,creat,link,unlink,symlink,
chmod,fchmod,chown,fchown,lchown
[root~]# auditctl -W /tmp/file2
[root~]# auditctl -l
LIST_RULES: exit,always watch=/tmp/file2 key=first-key
syscall=open,truncate,ftruncate,rename,mkdir,rmdir,creat,link,unlink,symlink,
chmod,fchmod,chown,fchown,lchown
LIST_RULES: exit,always watch=/tmp/file2 key=second-key
syscall=open,truncate,ftruncate,rename,mkdir,rmdir,creat,link,unlink,symlink,
chmod,fchmod,chown,fchown,lchown
[root~]# auditctl -W /tmp/file2
Error sending delete rule request (No rule matches)
[root~]# auditctl -l
LIST_RULES: exit,always watch=/tmp/file2 key=first-key
syscall=open,truncate,ftruncate,rename,mkdir,rmdir,creat,link,unlink,symlink,
chmod,fchmod,chown,fchown,lchown
LIST_RULES: exit,always watch=/tmp/file2 key=second-key
syscall=open,truncate,ftruncate,rename,mkdir,rmdir,creat,link,unlink,symlink,
chmod,fchmod,chown,fchown,lchown
-Loulwa