From mboxrd@z Thu Jan  1 00:00:00 1970
From: Steve Grubb <sgrubb@redhat.com>
Subject: Re: Auditing File Changes
Date: Mon, 10 Jul 2006 13:44:01 -0400
Message-ID: <200607101344.02093.sgrubb@redhat.com>
References: <4536.216.231.24.46.1152552578.squirrel@webmail.uci.edu>
Mime-Version: 1.0
Content-Type: text/plain;
  charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
Return-path: <linux-audit-bounces@redhat.com>
In-Reply-To: <4536.216.231.24.46.1152552578.squirrel@webmail.uci.edu>
Content-Disposition: inline
List-Unsubscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/linux-audit>
List-Post: <mailto:linux-audit@redhat.com>
List-Help: <mailto:linux-audit-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=subscribe>
Sender: linux-audit-bounces@redhat.com
Errors-To: linux-audit-bounces@redhat.com
To: linux-audit@redhat.com
List-Id: linux-audit@redhat.com

On Monday 10 July 2006 13:29, eklinger@uci.edu wrote:
> Please forgive me if this has been asked, but will the file watch
> functionality

We only go after an open command with write permission turned on. The case 
being that you can fill up your logs quickly by intercepting all writes.

> be able to intercept writes and/or be able to intercept the 
> actual changes to the file and report those, in addition to the fact that
> the file was modified? 

No, it will not. If you need to see actual changes, then you need to 
instrument the program in question to log changes. You can look at passwd or 
hwclock as an example of this.

-Steve