[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: File watching

On Tue, Jun 20, 2006 at 01:53:14PM -0400, Steve wrote:
| I have audit set to monitor all system calls for a file.  I see some 
| system calls for it, but I think some may be missing...  If I create the 
| file using vi, I only see an open followed by a stat64.  Shouldn't there 
| be a write of some type?  stat and open can't write to a file, can they?

Generally (and I'm speaking from my experience with Snare, here), one
does not attempt to audit the actual read and write syscalls.  Mainly
because there are far, far too many of them, and you need their
performance to be as high as conceivably possible.

Instead, you audit the file open, and make a note of whether the file
was opened read-only, or for read/write.  If it was opened for
read/write, one presumes that it was written to.


| Thanks,
| Steve

Jonathan Abbey 				              jonabbey arlut utexas edu
Applied Research Laboratories                 The University of Texas at Austin
GPG Key: 71767586 at keyserver pgp.mit.edu, http://www.ganymeta.org/workkey.gpg

Attachment: pgpzs2VacyCw4.pgp
Description: PGP signature

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]