On Thursday 22 May 2008 08:28:13 LC Bruzenak wrote: > Steve, do any of the syscall directory watches recursively audit to the > bottom of a given directory tree?
Yes, any watch on a directory does. auditctl does the following transformations: -w /etc - p wa becomes: -a always,exit -F dir=/etc -F perm=wa while -w /etc/shadow -p wa becomes: -a always,exit -F path=/etc/shadow -F perm=wa Its not necessary to have -S as the perm field selects the appropriate syscalls based on the permissions you are interested in. > I had kept many "-w" fields in place b/c the man page says they do not > impact performance based on the number of rules, and I wanted the full > subtree covered. They are in fact transformed into the above which is the new API. The -w form is easier to write, but if you wanted to do something special like only see writes to a file caused by a certain range of auids or failures, then you have to use the new form of the rule. -a always,exit -F path=/etc/shadow -F perm=wa -F exit=-EACCES -F auid>=500 > Should look to changing these watches to specific syscall watches in > order to not get "legacied out" at some point? No, they are the same thing. You only need to change if you wanted to do something extra. -Steve -- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
