From mboxrd@z Thu Jan 1 00:00:00 1970 From: Steve Grubb Subject: Re: A question about the directory watch in audit_tree.c in kernel Date: Thu, 22 May 2008 09:09:21 -0400 Message-ID: <200805220909.22149.sgrubb@redhat.com> References: <001701c8ba16$77c11ad0$2e8da70a@fnste3fa5f55c4> <200805211103.34938.sgrubb@redhat.com> <1211459293.6597.9.camel@homeserver> Mime-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 7bit Return-path: In-Reply-To: <1211459293.6597.9.camel@homeserver> Content-Disposition: inline List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: LC Bruzenak Cc: linux-audit@redhat.com List-Id: linux-audit@redhat.com On Thursday 22 May 2008 08:28:13 LC Bruzenak wrote: > Steve, do any of the syscall directory watches recursively audit to the > bottom of a given directory tree? Yes, any watch on a directory does. auditctl does the following transformations: -w /etc - p wa becomes: -a always,exit -F dir=/etc -F perm=wa while -w /etc/shadow -p wa becomes: -a always,exit -F path=/etc/shadow -F perm=wa Its not necessary to have -S as the perm field selects the appropriate syscalls based on the permissions you are interested in. > I had kept many "-w" fields in place b/c the man page says they do not > impact performance based on the number of rules, and I wanted the full > subtree covered. They are in fact transformed into the above which is the new API. The -w form is easier to write, but if you wanted to do something special like only see writes to a file caused by a certain range of auids or failures, then you have to use the new form of the rule. -a always,exit -F path=/etc/shadow -F perm=wa -F exit=-EACCES -F auid>=500 > Should look to changing these watches to specific syscall watches in > order to not get "legacied out" at some point? No, they are the same thing. You only need to change if you wanted to do something extra. -Steve