On 2023-09-06 10:56, Amjad Gabbar wrote: > Hi, > > I have done some analysis and digging into how both the watch rules and > syscall rules are translated. > > From my understanding, in terms of logging, both the below rules are > similar. There is no difference in either of the rules. > > 1. -w /etc -p wa -k ETC_WATCH
They are similar in this case. -w behaves differently depending on the existance of the watched entity and the presence of a trailing "/". This is why the form above is deprecated. > 2. -a always,exit -F arch=b64 -S <all syscalls part of the write and attr > classes> -F dir=/etc -F perm=wa -k ETC_WATCH > > The write and attr classes consist of syscalls in > “include/asm-generic/audit_*.h“. > > The perm flag is needed in the second case for including open/openat > syscalls which are not a part of the write and attr syscall list. > > I'd like to verify if what I mentioned earlier is accurate, and I have an > additional point but depends on whether this is accurate. > > Ali - RGB -- Richard Guy Briggs <r...@redhat.com> Sr. S/W Engineer, Kernel Security, Base Operating Systems Remote, Ottawa, Red Hat Canada Upstream IRC: SunRaycer Voice: +1.613.860 2354 SMS: +1.613.518.6570 -- Linux-audit mailing list Linux-audit@redhat.com https://listman.redhat.com/mailman/listinfo/linux-audit