[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Adding multiple watch rules on same path



Hi Steve,
As I was running some of our watch tests, I noticed the following:
You can add multiple watches on the same path if you specify different filter key values. That doesn't make sense to me, so I wanted to check if that is an intended behavior? and if so why?

Also, since you can have multiple watches on same path, it is no longer sufficient to do a "-W <path>" to remove the watch, now you have to specify which watch to remove by using the "-k key" as well. Is this is how auditctl will remain to function, because we need to make changes to our functions accordingly

I am on the latest rawhide kernel(2.6.17-1.2573.fc6) and audit-1.2.5-8

[root~]# auditctl -w /tmp/file2
[root~]# auditctl -l
LIST_RULES: exit,always watch=/tmp/file2 syscall=open,truncate,ftruncate,rename,mkdir,rmdir,creat,link,unlink,symlink,
	chmod,fchmod,chown,fchown,lchown

[root~]# auditctl -w /tmp/file2 -k first-key
[root~]# auditctl -l
LIST_RULES: exit,always watch=/tmp/file2 key=first-key syscall=open,truncate,ftruncate,rename,mkdir,rmdir,creat,link,unlink,symlink,
	chmod,fchmod,chown,fchown,lchown
LIST_RULES: exit,always watch=/tmp/file2 syscall=open,truncate,ftruncate,rename,mkdir,rmdir,creat,link,unlink,symlink,
	chmod,fchmod,chown,fchown,lchown

[root~]# auditctl -w /tmp/file2 -k second-key
[root~]# auditctl -l
LIST_RULES: exit,always watch=/tmp/file2 key=first-key syscall=open,truncate,ftruncate,rename,mkdir,rmdir,creat,link,unlink,symlink,
	chmod,fchmod,chown,fchown,lchown
LIST_RULES: exit,always watch=/tmp/file2 key=second-key syscall=open,truncate,ftruncate,rename,mkdir,rmdir,creat,link,unlink,symlink,
	chmod,fchmod,chown,fchown,lchown
LIST_RULES: exit,always watch=/tmp/file2 syscall=open,truncate,ftruncate,rename,mkdir,rmdir,creat,link,unlink,symlink,
	chmod,fchmod,chown,fchown,lchown

[root~]# auditctl -W /tmp/file2
[root~]# auditctl -l
LIST_RULES: exit,always watch=/tmp/file2 key=first-key syscall=open,truncate,ftruncate,rename,mkdir,rmdir,creat,link,unlink,symlink,
	chmod,fchmod,chown,fchown,lchown
LIST_RULES: exit,always watch=/tmp/file2 key=second-key syscall=open,truncate,ftruncate,rename,mkdir,rmdir,creat,link,unlink,symlink,
	chmod,fchmod,chown,fchown,lchown

[root~]# auditctl -W /tmp/file2
Error sending delete rule request (No rule matches)
[root~]# auditctl -l
LIST_RULES: exit,always watch=/tmp/file2 key=first-key syscall=open,truncate,ftruncate,rename,mkdir,rmdir,creat,link,unlink,symlink,
	chmod,fchmod,chown,fchown,lchown
LIST_RULES: exit,always watch=/tmp/file2 key=second-key syscall=open,truncate,ftruncate,rename,mkdir,rmdir,creat,link,unlink,symlink,
	chmod,fchmod,chown,fchown,lchown

-Loulwa


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]