Steve,

Auditctl version 3.0.7
Kernel 6.5.0-44-generic.

That extra check on if the directory exists may be the core difference. What is interesting is the -w version seems to honor the rule filter given (-F exe!=/usr/bin/example).

On Mon, July 22 2024 at 6:06 PM Steve Grubb <sgrubb@redhat.com> wrote:
Hello,

On Monday, July 22, 2024 4:00:37 PM EDT Michael McKinley via Linux-audit
wrote:
> I believe I’ve come across a bug in Linux audit when writing syscall
> monitors for a directory.
>
> File watchers are suggested to be syscall rules under the hood. I don’t
> believe this is true, based on the different behavior of syscall rules and
> file watcher rules when monitoring directories that don’t exist. Suggested
> to be equivalent per auditctl(8):-w /tmp/fakedir -p warx -k test1 -s
> always, exit -F dir=/tmp/fakedir -F perm=warx -k test2

It might be good to know what version of the audit package (auditctl -v) you
are using and the version of the kernel (uname -r). They were different once
upon a time.

> What will happen if the dir doesn’t exist in case 1 is the rule loads and
> continues. In case 2, the rule will fail to load, thus failing to load all
> rules below it.

In the current code, when it find a 'w' option, it calls stat on the directory
to ensure it is there. If it is, it converts the call to syscall auditing on
all syscalls. This gets refined when it finds the -perm field.

When it finds a 'S', it adds the syscall without any checks. When it finds '-F
dir=' it verifies the filter that it's being placed on but no other path checks
are done.

That means the -w version is more strict and needs a directory to exist when
the rule loads. The code in this area is probably at least 15 years old
without much reworking.

> The auditctl(8)
> Per the auditctl(8) man page -F (rule fields) are not supported by
> watchers. This doesn’t appear to be true any longer, as watchers do seem
> to honor -F (extensive testing not performed).

My man page differs. It says:

The -w form of writing watches is for backwards compatibility and is
deprecated due to poor system performance. Convert watches of this form
to the syscall based form.

> Any insight or suggestions? I am considering using a watcher with rule
> fields despite it not being officially supported due to the loading error
> with syscalls.

I'd be curious what versions you are using.

-Steve