Inotify_rm_watch¶

Intro¶

inotify_rm_watch - remove an existing watch on a file system object

Description¶

Inotify_rm_watch is a system call that removes existing watches on a file system object, specified by the watch descriptor wd created by the call inotify_add_watch for the file system object associated with the file descriptor fd.

Inotify_rm_watch does not change the reference count of the file system object, so if a watch is removed for an object for twice, the object is still watched after the second inotify_rm_watch system call.

Arguments¶

fd: int[K] - file descriptor associated to the filesystem object.
wd: int[K] - watch descriptor created by the call inotify_add_watch for the file system object associated with the file descriptor fd.

Available Tags¶

K - Originated from kernel-space.

Hooks¶

inotify_rm_watch¶

Type¶

Kprobes + Kretprobes

Purpose¶

Used to identify calls to the system call inotify_rm_watch. Used for applications that are performing malicious operations on files or directories.

Example Use Case¶

Inotify_rm_watch can be used in a security system that keeps tracks on all changes in a directory. The system can set a watch on a directory and track the changes of all files and sub directories. Whenever a new file is created or a existing file is modified, the system can take the appropriate actions.

Issues¶

There is currently no known issues with this event.

inotify_add_watch - used to add watch on a filesystem object.
inotify_init - used to initialize an inotify instance.

This document was automatically generated by OpenAI and needs review. It might not be accurate and might contain errors. The authors of Tracee recommend that the user reads the "events.go" source file to understand the events and their arguments better.