File watchers are deprecated

[n9]

(Just to track from man auditctl.8.)

The -w form of writing watches is for backwards compatibility and is deprecated due to poor system performance. Convert watches of this form to the syscall based form.

Examples:

To watch a file for changes (2 ways to express):

auditctl -w /etc/shadow -p wa # Note this slows the system
auditctl -a always,exit -F arch=b64 -F path=/etc/shadow -F perm=wa

To recursively watch a directory for changes (2 ways to express):

auditctl -w /etc/ -p wa # Note this slows the system
auditctl -a always,exit -F arch=b64 -F dir=/etc/ -F perm=wa

[kovacs-andras]

wow you are right, I haven't seen this change yet (Sep 24, 2023) linux-audit/audit-userspace@dd846b5#diff-ad7bcc936952a07512b62979369a29707578fabc81ec7da725aebf3598375b1cR276

[Pierre-Gronau-ndaal]

have anyone an idea how we can prevent double the lines cause of the arch option like:

-a always,exit -F arch=b32 -F dir=/etc/ -F perm=wa
-a always,exit -F arch=b64 -F dir=/etc/ -F perm=wa

to cover 32 bit systems as well

[kovacs-andras]

With a different config file. https://github.com/Neo23x0/auditd/blob/master/audit.rules#L793-L798

[Neo23x0]

For me the biggest problem with this is backwards compatibility.
Cause I want this config to be usable on Linux OSs that are 10 years old. (the things you find in customer environments)
Maybe the best solution would be to create two configs. A "standard" one and a "legacy" one.