File watching
Michael C Thompson
thompsmc at us.ibm.com
Tue Jun 20 18:55:41 UTC 2006
Steve wrote:
>>> Is it possible to tell if a file was opened read/write or read-only
>>> from the events generated by audit?
>
>> The record does record syscall arguments, however, so perhaps you could
>> analyze a1= (I believe this is the argument that passes flags), and
>> figure out with what flags open() was called with.
>
> I performed an open on a file twice, the first is when the user had
> read/write privileges to the file and in the second the user only has
> read permissions. These were the a# values from the events, respectively:
>
> a0=bfe6ac25 a1=8000 a2=0 a3=8000
>
> a0=bfd25b55 a1=8000 a2=0 a3=8000
>
> I'm not sure how to analyze that...
In both cases, a1 (the flags) is O_RDONLY (000 octal, 0x0 hex) and
O_LARGEFILE (0100000 octal, 0x8000 hex).
So you were opened as read-only. You can't determine the level of access
the user has from the above, although you should be able to infer some
information about it form the entire record.
Mike
More information about the Linux-audit
mailing list