From: Loulwa Salem <loulwas@us.ibm.com>
To: sgrubb@redhat.com
Cc: linux-audit@redhat.com
Subject: Adding multiple watch rules on same path
Date: Tue, 22 Aug 2006 10:32:45 -0500 [thread overview]
Message-ID: <44EB239D.4040709@us.ibm.com> (raw)
Hi Steve,
As I was running some of our watch tests, I noticed the following:
You can add multiple watches on the same path if you specify different filter
key values. That doesn't make sense to me, so I wanted to check if that is an
intended behavior? and if so why?
Also, since you can have multiple watches on same path, it is no longer
sufficient to do a "-W <path>" to remove the watch, now you have to specify
which watch to remove by using the "-k key" as well.
Is this is how auditctl will remain to function, because we need to make changes
to our functions accordingly
I am on the latest rawhide kernel(2.6.17-1.2573.fc6) and audit-1.2.5-8
[root~]# auditctl -w /tmp/file2
[root~]# auditctl -l
LIST_RULES: exit,always watch=/tmp/file2
syscall=open,truncate,ftruncate,rename,mkdir,rmdir,creat,link,unlink,symlink,
chmod,fchmod,chown,fchown,lchown
[root~]# auditctl -w /tmp/file2 -k first-key
[root~]# auditctl -l
LIST_RULES: exit,always watch=/tmp/file2 key=first-key
syscall=open,truncate,ftruncate,rename,mkdir,rmdir,creat,link,unlink,symlink,
chmod,fchmod,chown,fchown,lchown
LIST_RULES: exit,always watch=/tmp/file2
syscall=open,truncate,ftruncate,rename,mkdir,rmdir,creat,link,unlink,symlink,
chmod,fchmod,chown,fchown,lchown
[root~]# auditctl -w /tmp/file2 -k second-key
[root~]# auditctl -l
LIST_RULES: exit,always watch=/tmp/file2 key=first-key
syscall=open,truncate,ftruncate,rename,mkdir,rmdir,creat,link,unlink,symlink,
chmod,fchmod,chown,fchown,lchown
LIST_RULES: exit,always watch=/tmp/file2 key=second-key
syscall=open,truncate,ftruncate,rename,mkdir,rmdir,creat,link,unlink,symlink,
chmod,fchmod,chown,fchown,lchown
LIST_RULES: exit,always watch=/tmp/file2
syscall=open,truncate,ftruncate,rename,mkdir,rmdir,creat,link,unlink,symlink,
chmod,fchmod,chown,fchown,lchown
[root~]# auditctl -W /tmp/file2
[root~]# auditctl -l
LIST_RULES: exit,always watch=/tmp/file2 key=first-key
syscall=open,truncate,ftruncate,rename,mkdir,rmdir,creat,link,unlink,symlink,
chmod,fchmod,chown,fchown,lchown
LIST_RULES: exit,always watch=/tmp/file2 key=second-key
syscall=open,truncate,ftruncate,rename,mkdir,rmdir,creat,link,unlink,symlink,
chmod,fchmod,chown,fchown,lchown
[root~]# auditctl -W /tmp/file2
Error sending delete rule request (No rule matches)
[root~]# auditctl -l
LIST_RULES: exit,always watch=/tmp/file2 key=first-key
syscall=open,truncate,ftruncate,rename,mkdir,rmdir,creat,link,unlink,symlink,
chmod,fchmod,chown,fchown,lchown
LIST_RULES: exit,always watch=/tmp/file2 key=second-key
syscall=open,truncate,ftruncate,rename,mkdir,rmdir,creat,link,unlink,symlink,
chmod,fchmod,chown,fchown,lchown
-Loulwa
next reply other threads:[~2006-08-22 15:32 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2006-08-22 15:32 Loulwa Salem [this message]
2006-08-22 15:51 ` Adding multiple watch rules on same path Steve Grubb
2006-08-22 18:30 ` Klaus Weidner
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=44EB239D.4040709@us.ibm.com \
--to=loulwas@us.ibm.com \
--cc=linux-audit@redhat.com \
--cc=sgrubb@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.