On Friday 22 December 2006 08:38, Curtas, Anthony R. wrote: > My main confusion on getting started is the difference between syscalls > and watches.
Syscalls audit syscalls based on the various parameters accessible during the syscall. This means that every syscall is affected since it has to be analyzed to determine if it meets the criteria to trigger or suppress an audit event. If you use syscalls to audit files, you have to do it by inode. This is fine for files that do not move. You can also use devmajor/minor to watch whole disks or devices. Watches solve the problem by allowing you to audit a file by its name. The kernel then converts it to inode auditing internally and changes the inode that is being audited whenever the file is moved/renamed. Watches also do not affect the performance of every syscall. > It seems watches can do almost all of what I need, but they seem to be > less "configurable" than the syscalls (like ignoring if root changes > anything). This is true in RHEL4. RHEL5/FC6 is more configurable. > Can someone explain the difference and where one is more appropriate than > the other. Syscalls are appropriate whenever you have something global to audit. Watches are more appropriate when you are interested in specific files. -Steve -- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
