From: Michael C Thompson <thompsmc@us.ibm.com>
To: "Timothy R. Chavez" <tinytim@us.ibm.com>
Cc: linux-audit@redhat.com
Subject: Re: File watching
Date: Tue, 20 Jun 2006 13:52:48 -0500 [thread overview]
Message-ID: <44984400.7020206@us.ibm.com> (raw)
In-Reply-To: <1150828819.19484.14.camel@localhost.localdomain>
Timothy R. Chavez wrote:
> On Tue, 2006-06-20 at 14:32 -0400, Steve wrote:
>>>> Instead, you audit the file open, and make a note of whether the file
>>>> was opened read-only, or for read/write. If it was opened for
>>>> read/write, one presumes that it was written to.
>> Is it possible to tell if a file was opened read/write or read-only from
>> the events generated by audit?
>>
>> Thanks,
>> Steve
>
> Hi Steve,
>
> You should be able to ascertain this information from the open() audit
> record. I thought at one time the flags were recorded in the record,
> but perhaps no longer (or maybe my memory does not serve me well :)).
> The record does record syscall arguments, however, so perhaps you could
> analyze a1= (I believe this is the argument that passes flags), and
> figure out with what flags open() was called with. Admittedly, I'm not
> so knowledgeable these days as to what is actually being reported in the
> audit log.
Tim,
You are correct, the associated meaning for a1 with the open syscall is
flags [ http://www.linux-m32r.org/lxr/http/source/fs/open.c#L1100 ].
In the following example open() syscall record, you can see a1 is 0x8000.
type=SYSCALL msg=audit(1150567434.940:1386): arch=40000003 syscall=5
success=yes exit=3 a0=93bd6e0 a1=8241 a2=1b6 a3=8241 items=2 ppid=2106
pid=2108 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0
tty=pts1 comm="bash" exe="/bin/bash"
subj=root:staff_r:staff_t:s0-s15:c0.c255
a0 -- pointer, not useful
s1 -- the flags used for creation, in this case 0x8241 -> O_WRONLY |
O_CREAT | O_TRUNC | O_LARGEFILE
a2 -- the mode, in this case 0x1b6 -> 0666
http://www.linux-m32r.org/lxr/http/source/include/asm-generic/fcntl.h#L7
Can you guess what simple shell command I used to get this log? :P
Thanks,
Mike
next prev parent reply other threads:[~2006-06-20 18:53 UTC|newest]
Thread overview: 13+ messages / expand[flat|nested] mbox.gz Atom feed top
2006-06-20 17:53 File watching Steve
2006-06-20 18:10 ` Jonathan Abbey
2006-06-20 18:22 ` Timothy R. Chavez
2006-06-20 18:32 ` Steve
2006-06-20 18:40 ` Timothy R. Chavez
2006-06-20 18:52 ` Steve
2006-06-20 18:55 ` Michael C Thompson
2006-06-20 19:08 ` Steve
2006-06-20 19:56 ` Valdis.Kletnieks
2006-06-20 18:52 ` Michael C Thompson [this message]
2006-06-20 20:30 ` Amy Griffis
2006-06-20 20:41 ` Steve Grubb
2006-06-20 21:06 ` Casey Schaufler
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=44984400.7020206@us.ibm.com \
--to=thompsmc@us.ibm.com \
--cc=linux-audit@redhat.com \
--cc=tinytim@us.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.