Q: way to flag symlink writes? #171
Description
Context:
From a couple other issues, #94, and #157, it seems like it's expected behaviour for audit to generate events for writes to watched directories even when there is a symlink. However, it doesn't flag in certain circumstances, which is not expected, from my understanding.
My problem is, I have an audit rule like this in my audit.rules file: -w /etc -p wa -k ro_fs
The intention is to generate an audit event for any writes or changes to the etc directory. However, there are some symlinks in this etc directory, which point to directories outside of etc which are writeable, and I don't have any audit rule set up to watch those directories. Writing directly to the directory, like var/lib/etc for example, which is not watched, does not give me an audit event, which is expected. But if I have a symlink pointing to that directory, I get an audit event when writing to that symlink. This behaviour is not what I want. Because a symlink write to a writeable directory should be fine, but audit does not recognize that, how do I get audit to distinguish between symlink writes and non-symlink writes? If this is not a bug, can this feature be added?
OS:
uname -a
Linux id-ECF3SGJG 6.1.115 #1 SMP PREEMPT_DYNAMIC Wed Jun 11 05:43:06 EDT 2025 x86_64 GNU/Linux