id	summary	reporter	owner	description	type	status	priority	milestone	component	version	resolution	keywords	cc
387	Support for Linux audit system suffers from various quirks	rainer	rainer	"(1) Placing a watch on a directory does not place a watch on the directory inode itself. This is a ""feature"" of the Linux audit system and needs to be mitigated by placing an explicit watch on the directory inode (to be fixed).

(2) Even then, changing a directory timestamp with /bin/touch generates an audit log entry with ""success=no"", although the timestamp changes. This is because /bin/touch will first try to open() the directory, which fails with EISDIR (Is a directory), and only this is recorded by the audit system. Don't know how to mitigate this.

(3) Samhain currently fetches the wrong audit log entry if only the ctime but not the mtime is changed (e.g. chmod). To be fixed.

(4) The default auditd configuration on Ubuntu sets 'flush = INCREMENTAL'. As a result, the audit log entry might not be written yet when Samhain tries to fetch it. Auditd should be configured with 'flush = DATA' or 'flush = SYNC', and this needs to be mentioned in the Samhain documentation.

(investigation instigated by Bond)"	defect	closed	major	4.1.0	main		fixed