From mboxrd@z Thu Jan 1 00:00:00 1970 From: Eric Paris Subject: Re: peculiar disappearance of most audit rules Date: Mon, 21 Apr 2014 15:03:28 -0400 Message-ID: <1398107008.2596.2.camel@flatline.rdu.redhat.com> References: <1806426.QoIu6KxFX5@x2> <720F8F1C-2248-4BD7-9164-818F816662A1@mac.com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Return-path: In-Reply-To: <720F8F1C-2248-4BD7-9164-818F816662A1@mac.com> List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: lists_todd@mac.com Cc: linux-audit@redhat.com List-Id: linux-audit@redhat.com On Mon, 2014-04-21 at 11:35 -0700, lists_todd@mac.com wrote: > > On Apr 21, 2014, at 11:28 AM, Steve Grubb wrote: > > > What happens is that the text path that you put in a watch is a > > human > > convenience. The kernel doesn't understand strings, it understands > > numbers. It > > changes the path into device and inode information. > > > Cool. So I am guessing the rule works even if someone creates a hard > link to the same watched path and access files through that other > path? As I remember, and it's been a long time, watches should survive even if the object being watched is deleted and recreated. I seemed to remember it was only if the parent directory is deleted that rules get evicted. So that doesn't explain it for /boot! Pretty darn hard to delete /! But it could easily make sense for your other areas being watched... But yes, if you watch /etc/shadow and someone accesses that inode through another hard link, you will get audit records...