auditd: Difference between watch and syscall

Asked Mar 16 '16 at 14:52

Active Mar 16 '16 at 14:52

Viewed 370 times

There appear to be two ways of specifying an auditd rule to watch a given file or folder. The first uses -a

-a exit,always -F dir=/path/to/file -F perm=wa -F success=1

And the second uses -w

-w /path/to/file -p wa

Aside from one being obviously shorter, the two appear to have the same effect. Is there some subtle difference between them I need to understand?

asked Mar 16 '16 at 14:52

Marcus Downing

Did you read the documentation on `-w` ? – user9517 Mar 16 '16 at 15:02
If you mean the `man` page, yes. It's quite short. It just says `-w` audits "access" to the files, while `-a` audits system calls. Is there more thorough documentation elsewhere? – Marcus Downing Mar 16 '16 at 15:09
2

You need to look at the auditctl man page. – user9517 Mar 16 '16 at 15:38
That appears to say that they are the same. – Marcus Downing Mar 16 '16 at 15:50
2

You missed this bit `The -w form of writing watches is for backwards compatibility...` – user9517 Mar 16 '16 at 17:06

0 Answers0