Re: peculiar disappearance of most audit rules
On Mon, 2014-04-21 at 11:35 -0700, lists_todd(a)mac.com wrote:
On Apr 21, 2014, at 11:28 AM, Steve Grubb <sgrubb(a)redhat.com> wrote:
> What happens is that the text path that you put in a watch is a
> human
> convenience. The kernel doesn't understand strings, it understands
> numbers. It
> changes the path into device and inode information.
Cool. So I am guessing the rule works even if someone creates a hard
link to the same watched path and access files through that other
path?
As I remember, and it's been a long time, watches should survive even if
the object being watched is deleted and recreated. I seemed to remember
it was only if the parent directory is deleted that rules get evicted.
So that doesn't explain it for /boot! Pretty darn hard to delete /!
But it could easily make sense for your other areas being watched...
But yes, if you watch /etc/shadow and someone accesses that inode
through another hard link, you will get audit records...