inotify_rm_watch - remove an existing watch on a file system object
Inotify_rm_watch is a system call that removes existing watches on a file system object, specified by the watch descriptor
wd created by the call
inotify_add_watch for the file system object associated with the file descriptor
Inotify_rm_watch does not change the reference count of the file system object, so if a watch is removed for an object for twice, the object is still watched after the second
inotify_rm_watch system call.
int[K] - file descriptor associated to the filesystem object.
int[K] - watch descriptor created by the call
inotify_add_watchfor the file system object associated with the file descriptor
- K - Originated from kernel-space.
Kprobes + Kretprobes
Used to identify calls to the system call
inotify_rm_watch. Used for applications
that are performing malicious operations on files or directories.
Example Use Case¶
Inotify_rm_watch can be used in a security system that keeps tracks on all changes in a directory. The system can set a watch on a directory and track the changes of all files and sub directories. Whenever a new file is created or a existing file is modified, the system can take the appropriate actions.
There is currently no known issues with this event.
inotify_add_watch- used to add watch on a filesystem object.
inotify_init- used to initialize an inotify instance.
This document was automatically generated by OpenAI and needs review. It might not be accurate and might contain errors. The authors of Tracee recommend that the user reads the "events.go" source file to understand the events and their arguments better.