file change tracking

Simmons Jr,Felix felix.simmons at edwardjones.com
Tue Jul 10 15:56:37 UTC 2007 

All,

Ok, let me preface by saying I'm an auditd novice. Ok, so I've basically
gotten a watch on 3 files and a filter to never log mount syscalls, with
the following rules:

[root at XXXX audit]# auditctl -l
AUDIT_LIST: exit,never syscall=mount
AUDIT_WATCH_LIST: dev=104:2, path=/var/tmp/auditd_test/important,
filterkey=important_file, perms=wa, valid=0
AUDIT_WATCH_LIST: dev=104:2, path=/var/tmp/auditd_test/shadow,
filterkey=important_file, perms=wa, valid=0
AUDIT_WATCH_LIST: dev=104:2, path=/var/tmp/auditd_test/passwd,
filterkey=important_file, perms=wa, valid=0

I'm only interested in when the file is written to or appended (hence
the wa). However, I'm running into something that I was hoping I could
get confirmed on this list. When I vi one of the files, and quit without
writing content to the file, I get the following lines to my audit.log:

type=SYSCALL msg=audit(1184082224.278:6396): arch=c000003e syscall=21
success=yes exit=0 a0=75d930 a1=2 a2=0 a3=1 items=1 pid=28804
auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0
comm="vim" exe="/usr/bin/vim"
type=FS_WATCH msg=audit(1184082224.278:6396): watch_inode=36339931
watch="passwd" filterkey=important_file perm=10 perm_mask=2
type=FS_INODE msg=audit(1184082224.278:6396): inode=36339931 inode_uid=0
inode_gid=0 inode_dev=68:02 inode_rdev=00:00
type=CWD msg=audit(1184082224.278:6396):  cwd="/var/tmp/auditd_test"
type=PATH msg=audit(1184082224.278:6396): name="passwd" flags=401
inode=36339931 dev=68:02 mode=0100644 ouid=0 ogid=0 rdev=00:00

(that's not the -i view so bear with the actual numbers). 
Could someone confirm for me what Vi is doing to the file that pops a
perm_mask=2 (write) event?

On a side note, when I do actually write to the file (via vi or
redirecting text) I get 7 separate type=FS_WATCH....perm_mask=2 events.
I can live with the multiples but anyone have any idea why I see that
for one file write?

Thanks in advance

Felix

(running audit-1.0.14-1.EL4 on a RHEL box with a 2.6.9-42.0.10.Elsmp
kernel)
 
 If you are not the intended recipient of this message (including attachments), or if you have received this message in error, immediately notify us and delete it and any attachments.  If you no longer wish to receive e-mail from Edward Jones, please send this request to messages at edwardjones.com.  You must include the e-mail address that you wish not to receive e-mail communications. For important additional information related to this e-mail, visit www.edwardjones.com/US_email_disclosure
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/linux-audit/attachments/20070710/b4b3c8b9/attachment.htm>

More information about the Linux-audit mailing list