[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: Bypassing audit's file watches



On Fri, 2006-07-07 at 22:00 -0400, Amy Griffis wrote:
<snip>
> 
> As Tim mentioned, the idea is that to determine if a file is modified,
> you would filter for open() calls with either the O_RDWR or O_WRONLY
> flag.  This is pretty unwieldy with the current feature set since you
> would need a separate rule for every possible combination of flags
> that includes O_RDWR or O_WRONLY.  I really think we need to enhance
> the filtering options available for open() calls, since trying to
> audit the actual modifications is much more difficult.
> 
> If you are missing events for open() calls, please let us know since
> that would be a bug (versus a lacking feature).
> 
> Thanks for testing.
> 
> Amy
> 

I think this is a bug.  We see audit records for a failed attempt at
writing a file (e.g. chmod -w foo, echo "bar" > foo) via redirection,
but not otherwise.

-tim


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]