Hi, I have done some analysis and digging into how both the watch rules and syscall rules are translated.
>From my understanding, in terms of logging, both the below rules are similar. There is no difference in either of the rules. 1. -w /etc -p wa -k ETC_WATCH 2. -a always,exit -F arch=b64 -S <all syscalls part of the write and attr classes> -F dir=/etc -F perm=wa -k ETC_WATCH The write and attr classes consist of syscalls in “include/asm-generic/audit_*.h“. The perm flag is needed in the second case for including open/openat syscalls which are not a part of the write and attr syscall list. I'd like to verify if what I mentioned earlier is accurate, and I have an additional point but depends on whether this is accurate. Ali
-- Linux-audit mailing list Linux-audit@redhat.com https://listman.redhat.com/mailman/listinfo/linux-audit
