Re: A question about the directory watch in audit_tree.c in kernel

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Steve Grubb <sgrubb@redhat.com>
To: LC Bruzenak <lenny@magitekltd.com>
Cc: linux-audit@redhat.com
Subject: Re: A question about the directory watch in audit_tree.c in kernel
Date: Thu, 22 May 2008 09:09:21 -0400	[thread overview]
Message-ID: <200805220909.22149.sgrubb@redhat.com> (raw)
In-Reply-To: <1211459293.6597.9.camel@homeserver>

On Thursday 22 May 2008 08:28:13 LC Bruzenak wrote:
> Steve, do any of the syscall directory watches recursively audit to the
> bottom of a given directory tree?

Yes, any watch on a directory does. auditctl does the following 
transformations:

-w /etc - p wa

becomes:

-a always,exit -F dir=/etc -F perm=wa

while

-w /etc/shadow -p wa

becomes:

-a always,exit -F path=/etc/shadow -F perm=wa

Its not necessary to have -S as the perm field selects the appropriate 
syscalls based on the permissions you are interested in.

> I had kept many "-w" fields in place b/c the man page says they do not
> impact performance based on the number of rules, and I wanted the full
> subtree covered.

They are in fact transformed into the above which is the new API. The -w form 
is easier to write, but if you wanted to do something special like only see 
writes to a file caused by a certain range of auids or failures, then you 
have to use the new form of the rule.

-a always,exit -F path=/etc/shadow -F perm=wa -F exit=-EACCES -F auid>=500

> Should look to changing these watches to specific syscall watches in
> order to not get "legacied out" at some point?

No, they are the same thing. You only need to change if you wanted to do 
something extra.

-Steve

     prev parent reply	other threads:[~2008-05-22 13:09 UTC|newest]

Thread overview: 7+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2008-05-20  1:11 A question about the directory watch in audit_tree.c in kernel zhangxiliang
2008-05-20 12:06 ` Kevin Boyce
2008-05-20 12:41   ` Steve Grubb
2008-05-21  1:47   ` zhangxiliang
2008-05-21 15:03     ` Steve Grubb
2008-05-22 12:28       ` LC Bruzenak
2008-05-22 13:09         ` Steve Grubb [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=200805220909.22149.sgrubb@redhat.com \
    --to=sgrubb@redhat.com \
    --cc=lenny@magitekltd.com \
    --cc=linux-audit@redhat.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.