Good afternoon Linux audit list, I believe I’ve come across a bug in Linux audit when writing syscall monitors for a directory.
File watchers are suggested to be syscall rules under the hood. I don’t believe this is true, based on the different behavior of syscall rules and file watcher rules when monitoring directories that don’t exist. Suggested to be equivalent per auditctl(8):-w /tmp/fakedir -p warx -k test1 -s always, exit -F dir=/tmp/fakedir -F perm=warx -k test2 What will happen if the dir doesn’t exist in case 1 is the rule loads and continues. In case 2, the rule will fail to load, thus failing to load all rules below it. The auditctl(8) Per the auditctl(8) man page -F (rule fields) are not supported by watchers. This doesn’t appear to be true any longer, as watchers do seem to honor -F (extensive testing not performed). Any insight or suggestions? I am considering using a watcher with rule fields despite it not being officially supported due to the loading error with syscalls.
_______________________________________________ Linux-audit mailing list -- [email protected] To unsubscribe send an email to [email protected]
