From mboxrd@z Thu Jan  1 00:00:00 1970
From: Loulwa Salem <loulwas@us.ibm.com>
Subject: Adding multiple watch  rules on same path
Date: Tue, 22 Aug 2006 10:32:45 -0500
Message-ID: <44EB239D.4040709@us.ibm.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Return-path: <linux-audit-bounces@redhat.com>
List-Unsubscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/linux-audit>
List-Post: <mailto:linux-audit@redhat.com>
List-Help: <mailto:linux-audit-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=subscribe>
Sender: linux-audit-bounces@redhat.com
Errors-To: linux-audit-bounces@redhat.com
To: sgrubb@redhat.com
Cc: linux-audit@redhat.com
List-Id: linux-audit@redhat.com

Hi Steve,
As I was running some of our watch tests, I noticed the following:
You can add multiple watches on the same path if you specify different filter 
key values. That doesn't make sense to me, so I wanted to check if that is an 
intended behavior? and if so why?

Also, since you can have multiple watches on same path, it is no longer 
sufficient to do a "-W <path>" to remove the watch, now you have to specify 
which watch to remove by using the "-k key" as well.
Is this is how auditctl will remain to function, because we need to make changes 
to our functions accordingly

I am on the latest rawhide kernel(2.6.17-1.2573.fc6) and audit-1.2.5-8

[root~]# auditctl -w /tmp/file2
[root~]# auditctl -l
LIST_RULES: exit,always watch=/tmp/file2 
syscall=open,truncate,ftruncate,rename,mkdir,rmdir,creat,link,unlink,symlink,
	chmod,fchmod,chown,fchown,lchown

[root~]# auditctl -w /tmp/file2 -k first-key
[root~]# auditctl -l
LIST_RULES: exit,always watch=/tmp/file2 key=first-key 
syscall=open,truncate,ftruncate,rename,mkdir,rmdir,creat,link,unlink,symlink,
	chmod,fchmod,chown,fchown,lchown
LIST_RULES: exit,always watch=/tmp/file2 
syscall=open,truncate,ftruncate,rename,mkdir,rmdir,creat,link,unlink,symlink,
	chmod,fchmod,chown,fchown,lchown

[root~]# auditctl -w /tmp/file2 -k second-key
[root~]# auditctl -l
LIST_RULES: exit,always watch=/tmp/file2 key=first-key 
syscall=open,truncate,ftruncate,rename,mkdir,rmdir,creat,link,unlink,symlink,
	chmod,fchmod,chown,fchown,lchown
LIST_RULES: exit,always watch=/tmp/file2 key=second-key 
syscall=open,truncate,ftruncate,rename,mkdir,rmdir,creat,link,unlink,symlink,
	chmod,fchmod,chown,fchown,lchown
LIST_RULES: exit,always watch=/tmp/file2 
syscall=open,truncate,ftruncate,rename,mkdir,rmdir,creat,link,unlink,symlink,
	chmod,fchmod,chown,fchown,lchown

[root~]# auditctl -W /tmp/file2
[root~]# auditctl -l
LIST_RULES: exit,always watch=/tmp/file2 key=first-key 
syscall=open,truncate,ftruncate,rename,mkdir,rmdir,creat,link,unlink,symlink,
	chmod,fchmod,chown,fchown,lchown
LIST_RULES: exit,always watch=/tmp/file2 key=second-key 
syscall=open,truncate,ftruncate,rename,mkdir,rmdir,creat,link,unlink,symlink,
	chmod,fchmod,chown,fchown,lchown

[root~]# auditctl -W /tmp/file2
Error sending delete rule request (No rule matches)
[root~]# auditctl -l
LIST_RULES: exit,always watch=/tmp/file2 key=first-key 
syscall=open,truncate,ftruncate,rename,mkdir,rmdir,creat,link,unlink,symlink,
	chmod,fchmod,chown,fchown,lchown
LIST_RULES: exit,always watch=/tmp/file2 key=second-key 
syscall=open,truncate,ftruncate,rename,mkdir,rmdir,creat,link,unlink,symlink,
	chmod,fchmod,chown,fchown,lchown

-Loulwa