On Mon, 2014-04-21 at 11:35 -0700, lists_t...@mac.com wrote: > > On Apr 21, 2014, at 11:28 AM, Steve Grubb <sgr...@redhat.com> wrote: > > > What happens is that the text path that you put in a watch is a > > human > > convenience. The kernel doesn't understand strings, it understands > > numbers. It > > changes the path into device and inode information. > > > Cool. So I am guessing the rule works even if someone creates a hard > link to the same watched path and access files through that other > path?
As I remember, and it's been a long time, watches should survive even if the object being watched is deleted and recreated. I seemed to remember it was only if the parent directory is deleted that rules get evicted. So that doesn't explain it for /boot! Pretty darn hard to delete /! But it could easily make sense for your other areas being watched... But yes, if you watch /etc/shadow and someone accesses that inode through another hard link, you will get audit records... -- Linux-audit mailing list Linux-audit@redhat.com https://www.redhat.com/mailman/listinfo/linux-audit