Re: Replacing file watch (-w) with syscall

I wanted to place a file watch on a file, but with an auid filter, i.e., I didn't want to log accesses done by a particular user. That is not possible with -w, so we have to use a syscall rule. The manpage has many examples of such conversions, so here is what I would use: -a always,exit -F auid!=andreas -F path=/etc/myfile -F perm=wa -F key=myfile-changed No syscall, because the manpage also says this for the perm filter: "You can use this without specifying a syscall and the kernel will select the syscalls that satisfy the permissions being requested." Right after loading that rule, though, auditctl shows it with "-S all": -a always,exit -S all -F auid!=1000 -F path=/etc/myfile -F perm=wa -F key=myfile-changed That had me a bit worried, in terms of performance impact, if "-S all" is true and all syscalls will be checked. Is this a terrible rule?