From mboxrd@z Thu Jan  1 00:00:00 1970
From: LC Bruzenak <lenny@magitekltd.com>
Subject: file watch question
Date: Fri, 16 Aug 2013 15:19:22 -0500
Message-ID: <520E894A.6010403@magitekltd.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Return-path: <linux-audit-bounces@redhat.com>
Received: from mx1.redhat.com (ext-mx15.extmail.prod.ext.phx2.redhat.com
	[10.5.110.20])
	by int-mx10.intmail.prod.int.phx2.redhat.com (8.14.4/8.14.4) with ESMTP
	id r7GKJPdZ019795
	for <linux-audit@redhat.com>; Fri, 16 Aug 2013 16:19:25 -0400
Received: from mail-ob0-f169.google.com (mail-ob0-f169.google.com
	[209.85.214.169])
	by mx1.redhat.com (8.14.4/8.14.4) with ESMTP id r7GKJNkv030240
	for <linux-audit@redhat.com>; Fri, 16 Aug 2013 16:19:24 -0400
Received: by mail-ob0-f169.google.com with SMTP id wc20so2519435obb.14
	for <linux-audit@redhat.com>; Fri, 16 Aug 2013 13:19:23 -0700 (PDT)
List-Unsubscribe: <https://www.redhat.com/mailman/options/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/linux-audit>
List-Post: <mailto:linux-audit@redhat.com>
List-Help: <mailto:linux-audit-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=subscribe>
Sender: linux-audit-bounces@redhat.com
Errors-To: linux-audit-bounces@redhat.com
To: linux-audit@redhat.com
List-Id: linux-audit@redhat.com

Reading the man page for auditctl, looking at file watch rules I see this:

      -w path
              Insert a watch for the file system object at path. You
cannot insert a watch to the top level directory. This is prohibited by 
the  kernel.
              Wildcards  are not supported either and will generate a
warning. The way that watches work is by tracking the inode internally.
If you place
              a watch on a file, its the same as using the -F path
option on a syscall rule. If you place a watch on a directory, its the 
same  as  using
              the  -F  dir  option  on  a  syscall  rule. The -w form of
writing watches is for backwards compatibility and the syscall based
form is more
              expressive. Unlike most syscall auditing rules, watches do
not impact performance based on the number of rules sent to the kernel.
The  only
              valid  options when using a watch are the -p and -k. If
you need to anything fancy like audit a specific user accessing a file,
then use the
              syscall auditing form with the path or dir fields. See the
EXAMPLES section for an example of converting one form to another.

I assume if the "-w form" is just backwards-compatible, it is preferred
to use the syscall method.
Question -
The line saying, "Unlike most syscall auditing rules, watches do not
impact performance based on the number of rules sent to the kernel" -
does this mean that BOTH the "-w" and "syscall" rules have no
performance impact?

Thx,
LCB

-- 
LC (Lenny) Bruzenak
lenny@magitekltd.com