[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: File watching



Timothy R. Chavez wrote:
On Tue, 2006-06-20 at 14:32 -0400, Steve wrote:
Instead, you audit the file open, and make a note of whether the file
was opened read-only, or for read/write.  If it was opened for
read/write, one presumes that it was written to.
Is it possible to tell if a file was opened read/write or read-only from the events generated by audit?

Thanks,
Steve

Hi Steve,

You should be able to ascertain this information from the open() audit
record.  I thought at one time the flags were recorded in the record,
but perhaps no longer (or maybe my memory does not serve me well :)).
The record does record syscall arguments, however, so perhaps you could
analyze a1= (I believe this is the argument that passes flags), and
figure out with what flags open() was called with.  Admittedly, I'm not
so knowledgeable these days as to what is actually being reported in the
audit log.

Tim,

You are correct, the associated meaning for a1 with the open syscall is flags [ http://www.linux-m32r.org/lxr/http/source/fs/open.c#L1100 ].

In the following example open() syscall record, you can see a1 is 0x8000.
type=SYSCALL msg=audit(1150567434.940:1386): arch=40000003 syscall=5 success=yes exit=3 a0=93bd6e0 a1=8241 a2=1b6 a3=8241 items=2 ppid=2106 pid=2108 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 comm="bash" exe="/bin/bash" subj=root:staff_r:staff_t:s0-s15:c0.c255

a0 -- pointer, not useful
s1 -- the flags used for creation, in this case 0x8241 -> O_WRONLY | O_CREAT | O_TRUNC | O_LARGEFILE
a2 -- the mode, in this case 0x1b6 -> 0666

http://www.linux-m32r.org/lxr/http/source/include/asm-generic/fcntl.h#L7

Can you guess what simple shell command I used to get this log? :P

Thanks,
Mike


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]