File watching
Steve
m6x at ornl.gov
Tue Jun 20 18:52:37 UTC 2006
>> Is it possible to tell if a file was opened read/write or read-only from
>> the events generated by audit?
> The record does record syscall arguments, however, so perhaps you could
> analyze a1= (I believe this is the argument that passes flags), and
> figure out with what flags open() was called with.
I performed an open on a file twice, the first is when the user had
read/write privileges to the file and in the second the user only has
read permissions. These were the a# values from the events, respectively:
a0=bfe6ac25 a1=8000 a2=0 a3=8000
a0=bfd25b55 a1=8000 a2=0 a3=8000
I'm not sure how to analyze that...
More information about the Linux-audit
mailing list