[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: File watching

Steve wrote:
Is it possible to tell if a file was opened read/write or read-only from the events generated by audit?

The record does record syscall arguments, however, so perhaps you could
analyze a1= (I believe this is the argument that passes flags), and
figure out with what flags open() was called with.

I performed an open on a file twice, the first is when the user had read/write privileges to the file and in the second the user only has read permissions. These were the a# values from the events, respectively:

a0=bfe6ac25 a1=8000 a2=0 a3=8000

a0=bfd25b55 a1=8000 a2=0 a3=8000

I'm not sure how to analyze that...

In both cases, a1 (the flags) is O_RDONLY (000 octal, 0x0 hex) and O_LARGEFILE (0100000 octal, 0x8000 hex).

So you were opened as read-only. You can't determine the level of access the user has from the above, although you should be able to infer some information about it form the entire record.


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]