File watching
Steve Grubb
sgrubb at redhat.com
Tue Jun 20 20:41:10 UTC 2006
On Tuesday 20 June 2006 16:30, Amy Griffis wrote:
> It would be nice if it were possible to further filter the open calls,
> by allowing the rule to specify certain flags like O_CREAT, O_RDONLY,
> O_WRONLY or O_RDWR. That could do quite a bit to eliminate
> unwanted log data.
>
> What do others think, should we consider adding somthing like this?
Yes, this is what the "rwex" flags to -p of auditctl allowed us to do. But we
also need to have a perm field that makes it easy to see what the requested
perm was.
-Steve
More information about the Linux-audit
mailing list