Good afternoon Linux audit list,

I believe I’ve come across a bug in Linux audit when writing syscall monitors for a directory.

File watchers are suggested to be syscall rules under the hood. I don’t believe this is true, based on the different behavior of syscall rules and file watcher rules when monitoring directories that don’t exist.

Suggested to be equivalent per auditctl(8):

-w /tmp/fakedir -p warx -k test1
-s always, exit -F dir=/tmp/fakedir -F perm=warx -k test2

What will happen if the dir doesn’t exist in case 1 is the rule loads and continues. In case 2, the rule will fail to load, thus failing to load all rules below it.

The auditctl(8)
Per the auditctl(8) man page -F (rule fields) are not supported by watchers. This doesn’t appear to be true any longer, as watchers do seem to honor -F (extensive testing not performed).

Any insight or suggestions? I am considering using a watcher with rule fields despite it not being officially supported due to the loading error with syscalls.