On 2023-09-06 10:56, Amjad Gabbar wrote:
> Hi,
> 
> I have done some analysis and digging into how both the watch rules and
> syscall rules are translated.
> 
> From my understanding, in terms of logging, both the below rules are
> similar. There is no difference in either of the rules.
> 
> 1. -w /etc -p wa -k ETC_WATCH

They are similar in this case.
-w behaves differently depending on the existance of the watched entity
and the presence of a trailing "/".  This is why the form above is
deprecated.

> 2. -a always,exit -F arch=b64 -S <all syscalls part of the write and attr
> classes> -F dir=/etc  -F perm=wa -k ETC_WATCH
> 
> The write and attr classes consist of syscalls in
> “include/asm-generic/audit_*.h“.
> 
>  The perm flag is needed in the second case for including open/openat
> syscalls which are not a part of the write and attr syscall list.
> 
> I'd like to verify if what I mentioned earlier is accurate, and I have an
> additional point but depends on whether this is accurate.
> 
> Ali

- RGB

--
Richard Guy Briggs <r...@redhat.com>
Sr. S/W Engineer, Kernel Security, Base Operating Systems
Remote, Ottawa, Red Hat Canada
Upstream IRC: SunRaycer
Voice: +1.613.860 2354 SMS: +1.613.518.6570
--
Linux-audit mailing list
Linux-audit@redhat.com
https://listman.redhat.com/mailman/listinfo/linux-audit

Reply via email to