In case we have a directory the hash sum won't be calculated. THe bpf code is coded such that an event is triggered only when it will result in an actual change of immutable state i.e 2 or more consecutive set or clear operations would result in a single event being produced.
lorddoskias
commented
2 years ago
This prq adds the chattr plugin as per SENS-20. Example json output of an event:
In case we have a directory the hash sum won't be calculated. THe bpf code is coded such that an event is triggered only when it will result in an actual change of immutable state i.e 2 or more consecutive set or clear operations would result in a single event being produced.
Tested on both 5.3 kernel and upstream.