From: Steve <m6x@ornl.gov>
To: linux-audit@redhat.com
Subject: Re: File watching
Date: Tue, 20 Jun 2006 15:08:53 -0400 [thread overview]
Message-ID: <449847C5.8080407@ornl.gov> (raw)
In-Reply-To: <449844AD.4010804@us.ibm.com>
Michael C Thompson wrote:
> Steve wrote:
>>>> Is it possible to tell if a file was opened read/write or read-only
>>>> from the events generated by audit?
>>
>>> The record does record syscall arguments, however, so perhaps you could
>>> analyze a1= (I believe this is the argument that passes flags), and
>>> figure out with what flags open() was called with.
>>
>> I performed an open on a file twice, the first is when the user had
>> read/write privileges to the file and in the second the user only has
>> read permissions. These were the a# values from the events,
>> respectively:
>>
>> a0=bfe6ac25 a1=8000 a2=0 a3=8000
>>
>> a0=bfd25b55 a1=8000 a2=0 a3=8000
>>
>> I'm not sure how to analyze that...
>
> In both cases, a1 (the flags) is O_RDONLY (000 octal, 0x0 hex) and
> O_LARGEFILE (0100000 octal, 0x8000 hex).
>
> So you were opened as read-only. You can't determine the level of access
> the user has from the above, although you should be able to infer some
> information about it form the entire record.
>
> Mike
>
The file is owned by root and the group for the file is root. The
permissions are 664.
Here is the whole record for root accessing the file
audit(1150830257.233:250): arch=40000003 syscall=5 success=yes exit=3
a0=9a62398 a1=8000 a2=0 a3=8000 items=1 ppid=23750 pid=25063 auid=500
uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1
comm="vi" exe="/bin/vi" subj=user_u:system_r:unconfined_t:s0
cwd="/home/m6x/src/iitds/sensor/plugins" item=0 name="/tmp/test.c"
inode=5358299 dev=03:02 mode=0100664 ouid=0 ogid=0 rdev=00:00
obj=user_u:object_r:tmp_t:s0
and for the normal user:
audit(1150830316.688:251): arch=40000003 syscall=5 success=yes exit=3
a0=8669560 a1=8000 a2=0 a3=8000 items=1 ppid=24750 pid=25069 auid=500
uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500
tty=pts3 comm="vim" exe="/usr/bin/vim"
subj=user_u:system_r:unconfined_t:s0 cwd="/home/m6x" item=0
name="/tmp/test.c" inode=5358299 dev=03:02 mode=0100664 ouid=0 ogid=0
rdev=00:00 obj=user_u:object_r:tmp_t:s0
I am not sure why it opens the file as read-only when root opens it...
Steve
next prev parent reply other threads:[~2006-06-20 19:09 UTC|newest]
Thread overview: 13+ messages / expand[flat|nested] mbox.gz Atom feed top
2006-06-20 17:53 File watching Steve
2006-06-20 18:10 ` Jonathan Abbey
2006-06-20 18:22 ` Timothy R. Chavez
2006-06-20 18:32 ` Steve
2006-06-20 18:40 ` Timothy R. Chavez
2006-06-20 18:52 ` Steve
2006-06-20 18:55 ` Michael C Thompson
2006-06-20 19:08 ` Steve [this message]
2006-06-20 19:56 ` Valdis.Kletnieks
2006-06-20 18:52 ` Michael C Thompson
2006-06-20 20:30 ` Amy Griffis
2006-06-20 20:41 ` Steve Grubb
2006-06-20 21:06 ` Casey Schaufler
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=449847C5.8080407@ornl.gov \
--to=m6x@ornl.gov \
--cc=linux-audit@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.