clarify watches and recursion

caidongyun · Sep 22, 2017 · 6bcd029 · 6bcd029
1 parent dd0fdc9
commit 6bcd029
Showing 1 changed file with 10 additions and 1 deletion.
diff --git a/docs/audit.rules.7 b/docs/audit.rules.7
@@ -9,7 +9,7 @@ audit.rules \- a set of rules loaded in the kernel audit system
 Control commands generally involve configuring the audit system rather than telling it what to watch for. These commands typically include deleting all rules, setting the size of the kernel's backlog queue, setting the failure mode, setting the event rate limit, or to tell auditctl to ignore syntax errors in the rules and continue loading. Generally, these rules are at the top of the rules file.
 
 .SS File System
-File System rules are sometimes called watches. These rules are used to audit access to particular files or directories that you may be interested in. If the path given in the rule is a directory, then the rule used is recursive to the bottom of the directory tree excluding any directories that may be mount points. The syntax of these rules generally follow this format:
+File System rules are sometimes called watches. These rules are used to audit access to particular files or directories that you may be interested in. If the path given in a watch rule is a directory, then the rule used is recursive to the bottom of the directory tree excluding any directories that may be mount points. The syntax of these watch rules generally follow this format:
 
 .nf
 .B \-w path-to-file \-p permissions \-k keyname
@@ -31,6 +31,15 @@ where the permission are any one of the following:
 .B a
 - change in the file's attribute
 .RE
+
+Watches can also be created using the syscall format described below which allow for greater flexibility and options. Using syscall rules you can choose between
+.B path
+and
+.B dir
+which is against a specific inode or directory tree respectively. It should also be noted that the recursive directory watch will stop if there is a mount point below the parent directory. There is an option to make the mounted subdirectory equivalent by using a
+.B -q
+rule.
+
 .SS System Call
 The system call rules are loaded into a matching engine that intercepts each syscall that all programs on the system makes. Therefore it is very important to only use syscall rules when you have to since these affect performance. The more rules, the bigger the performance hit. You can help the performance, though, by combining syscalls into one rule whenever possible.