ydocsgnillats
commented
4 years ago Hey, I'd like to help with this issue if it is still available!
Open mssalvatore opened 4 years ago
ydocsgnillats
commented
4 years ago Hey, I'd like to help with this issue if it is still available!
mssalvatore
commented
4 years ago @ydocsgnillats It's all yours!
ydocsgnillats
commented
4 years ago @mssalvatore Thanks! So I know I will need to add to the tmpwatcher.py file. To make sure I understand correctly, you want to stop multiples of the same event being logged or the same event type(IN_CREATE, IN_ATTRIB, etc.) being logged more than once?
mssalvatore
commented
4 years ago When TmpWatcher sends alerts, they generally look something like, WARNING - Found permissions matching mask 077 on file: /tmp/1
You'll note, there's no distinction between whether or not that alert is as a result of creation or a change to the permissions. If inotify sends those 2 events in rapid succession, TmpWatcher will therefore send identical alerts, which is unnecessary.
Most likely, you'll want to modify _should_send_alert() to check if this alert is identical to the previous alert.
Because inotify may send multiple events in rapid succession (i.e. IN_CREATE followed by IN_ATTRIB), duplicate alerts often get logged. Add code to avoid generating identical alerts.
Moved from OWWatcher https://github.com/mssalvatore/owwatcher/issues/1