Hi Everyone,

I wanted some help in better understanding the workflow of file system auditing(watch rules) vs Syscall Auditing(syscall rules). I know in general file system auditing does not have the same performance impact as syscall auditing, even though both make use of syscall exits for their evaluation.

From the manpage - "Unlike most syscall auditing rules, watches do not impact performance based on the number of rules sent to the kernel."

From a previous thread, I found this excerpt regarding file watch rules vs sycall rules -
"The reason it doesn't have performance impact like normal syscall rules is

because it gets moved to a list that is not evaluated every syscall. A normal syscall rule will get evaluated for every syscall because it has to see if the syscall number is of interest and then it checks the next rule."

Based on this I had a couple of questions:

For normal syscall rules, the evaluation happens as __audit_syscall_exit calls audit_filter_syscall
(https://elixir.bootlin.com/linux/v6.1.10/source/kernel/auditsc.c#L841)

Here, we check if the syscall is of interest or not in the audit_in_mask function. Only if the syscall is of interest do we proceed with examining the task and return on the first rule match.

1. What is the process or code path for watch rules? audit_filter_syscall is called for watch rules as well. Then how is it that these are not called for every syscall? Could you point me to the code where the evaluation happens only once?

2. Also, do file watches only involve the open system call family (open, openat etc). The man page implies the same, so just wanted to confirm.

I assume -w /etc -p wa is the same as -a always,exit -S open -S openat -F dir=/etc?

Please correct any wrong assumption I may have as well.

Regards