Adding multiple watch rules on same path
Steve Grubb
sgrubb at redhat.com
Tue Aug 22 15:51:14 UTC 2006
On Tuesday 22 August 2006 11:32, Loulwa Salem wrote:
> As I was running some of our watch tests, I noticed the following:
> You can add multiple watches on the same path if you specify different
> filter key values. That doesn't make sense to me, so I wanted to check if
> that is an intended behavior?
I have programmed anything to allow or disallow this behavior. I'm sure there
are many many combinations of things that do not make sense together like any
field other than -F messagetype when exclude filter is picked. But I have not
thought up all combinations of what should and should not be allowed. The
logic for that might make auditctl more complex than it need be.
On the otherhand, suppose you wrote a system that dynamically alters the audit
rules. You could use the keyfield to identify those rules so that you do not
have to think about baseline rules the admin may have in place. IOW, you can
issue another rule to watch /etc/shadow for writes without checking to see if
it already exists. Also, you can delete the rule without worry that you are
deleting something the admin wants there as baseline.
So, I can sort of see a use for it.
> Is this is how auditctl will remain to function, because we need to make
> changes to our functions accordingly
I'm undecided about whether to keep the behavior or not. I don't see much harm
in it and it might turn out to be useful.
-Steve
More information about the Linux-audit
mailing list