[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: Adding multiple watch rules on same path



On Tuesday 22 August 2006 11:32, Loulwa Salem wrote:
> As I was running some of our watch tests, I noticed the following:
> You can add multiple watches on the same path if you specify different
> filter key values. That doesn't make sense to me, so I wanted to check if
> that is an intended behavior? 

I have programmed anything to allow or disallow this behavior. I'm sure there 
are many many combinations of things that do not make sense together like any 
field other than -F messagetype when exclude filter is picked. But I have not 
thought up all combinations of what should and should not be allowed. The 
logic for that might make auditctl more complex than it need be.

On the otherhand, suppose you wrote a system that dynamically alters the audit 
rules. You could use the keyfield to identify those rules so that you do not 
have to think about baseline rules the admin may have in place. IOW, you can 
issue another rule to watch /etc/shadow for writes without checking to see if 
it already exists. Also, you can delete the rule without worry that you are 
deleting something the admin wants there as baseline.

So, I can sort of see a use for it.

> Is this is how auditctl will remain to function, because we need to make
> changes to our functions accordingly

I'm undecided about whether to keep the behavior or not. I don't see much harm 
in it and it might turn out to be useful.

-Steve


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]