Re: Adding multiple watch rules on same path

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Steve Grubb <sgrubb@redhat.com>
To: Loulwa Salem <loulwas@us.ibm.com>
Cc: linux-audit@redhat.com
Subject: Re: Adding multiple watch  rules on same path
Date: Tue, 22 Aug 2006 11:51:14 -0400	[thread overview]
Message-ID: <200608221151.14150.sgrubb@redhat.com> (raw)
In-Reply-To: <44EB239D.4040709@us.ibm.com>

On Tuesday 22 August 2006 11:32, Loulwa Salem wrote:
> As I was running some of our watch tests, I noticed the following:
> You can add multiple watches on the same path if you specify different
> filter key values. That doesn't make sense to me, so I wanted to check if
> that is an intended behavior? 

I have programmed anything to allow or disallow this behavior. I'm sure there 
are many many combinations of things that do not make sense together like any 
field other than -F messagetype when exclude filter is picked. But I have not 
thought up all combinations of what should and should not be allowed. The 
logic for that might make auditctl more complex than it need be.

On the otherhand, suppose you wrote a system that dynamically alters the audit 
rules. You could use the keyfield to identify those rules so that you do not 
have to think about baseline rules the admin may have in place. IOW, you can 
issue another rule to watch /etc/shadow for writes without checking to see if 
it already exists. Also, you can delete the rule without worry that you are 
deleting something the admin wants there as baseline.

So, I can sort of see a use for it.

> Is this is how auditctl will remain to function, because we need to make
> changes to our functions accordingly

I'm undecided about whether to keep the behavior or not. I don't see much harm 
in it and it might turn out to be useful.

-Steve

next prev parent reply	other threads:[~2006-08-22 15:51 UTC|newest]

Thread overview: 3+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2006-08-22 15:32 Adding multiple watch rules on same path Loulwa Salem
2006-08-22 15:51 ` Steve Grubb [this message]
2006-08-22 18:30   ` Klaus Weidner

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=200608221151.14150.sgrubb@redhat.com \
    --to=sgrubb@redhat.com \
    --cc=linux-audit@redhat.com \
    --cc=loulwas@us.ibm.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.