Re: A question about the directory watch in audit_tree.c in kernel
On Thursday 22 May 2008 08:28:13 LC Bruzenak wrote:
Steve, do any of the syscall directory watches recursively audit to
the
bottom of a given directory tree?
Yes, any watch on a directory does. auditctl does the following
transformations:
-w /etc - p wa
becomes:
-a always,exit -F dir=/etc -F perm=wa
while
-w /etc/shadow -p wa
becomes:
-a always,exit -F path=/etc/shadow -F perm=wa
Its not necessary to have -S as the perm field selects the appropriate
syscalls based on the permissions you are interested in.
I had kept many "-w" fields in place b/c the man page says
they do not
impact performance based on the number of rules, and I wanted the full
subtree covered.
They are in fact transformed into the above which is the new API. The -w form
is easier to write, but if you wanted to do something special like only see
writes to a file caused by a certain range of auids or failures, then you
have to use the new form of the rule.
-a always,exit -F path=/etc/shadow -F perm=wa -F exit=-EACCES -F auid>=500
Should look to changing these watches to specific syscall watches in
order to not get "legacied out" at some point?
No, they are the same thing. You only need to change if you wanted to do
something extra.
-Steve