* path watcher
@ 2014-08-22 15:31 John Haxby
2014-09-12 17:35 ` Steve Grubb
0 siblings, 1 reply; 2+ messages in thread
From: John Haxby @ 2014-08-22 15:31 UTC (permalink / raw)
To: linux-audit
Hello,
We have an internal group auditing updates to files but who would like
to be able to monitor the actual modification rather than the possible
intent to modify.
The example they gave is that some program opens a file
O_WRONLY|O_APPEND but in most cases it does not subsequently write to
the file. For them, the usual auditctl -p path -w wa causes lots of
false positives.
Historically, I know, that -w wa is triggered by the open(2) flags
rather than actual modifications because "[t]he read & write syscalls
are omitted from this set since they would overwhelm the logs." Reading
this again now, it looks a little specious as it seems quite easy to
overwhelm the logs anyway.
Is there any reason why a file watcher should not use the fsnotify
FS_ACCESS/MODIFY/ATTRIB masks before I go haring off to try to implement
that?
jch
^ permalink raw reply [flat|nested] 2+ messages in thread
* Re: path watcher
2014-08-22 15:31 path watcher John Haxby
@ 2014-09-12 17:35 ` Steve Grubb
0 siblings, 0 replies; 2+ messages in thread
From: Steve Grubb @ 2014-09-12 17:35 UTC (permalink / raw)
To: linux-audit
Hello,
I had hoped some kernel guys would have jumped in here to answer...but I'll
take a stab at it.
On Friday, August 22, 2014 04:31:24 PM John Haxby wrote:
> We have an internal group auditing updates to files but who would like
> to be able to monitor the actual modification rather than the possible
> intent to modify.
That would be a nice addition.
> The example they gave is that some program opens a file
> O_WRONLY|O_APPEND but in most cases it does not subsequently write to
> the file. For them, the usual auditctl -p path -w wa causes lots of
> false positives.
I have asked some problematic apps to open readonly and then change flags when
they decide they need to write. Some people comply, others can't believe I
even asked them to do it.
> Historically, I know, that -w wa is triggered by the open(2) flags
> rather than actual modifications because "[t]he read & write syscalls
> are omitted from this set since they would overwhelm the logs." Reading
> this again now, it looks a little specious as it seems quite easy to
> overwhelm the logs anyway.
>
> Is there any reason why a file watcher should not use the fsnotify
> FS_ACCESS/MODIFY/ATTRIB masks before I go haring off to try to implement
> that?
I don't know the particulars. But for auditing purposes, we'd only want 1
event no matter how many times they wrote. If the w/r flags could be cleaned up
to be accurate and not signal just the intent, I think that would be good.
However, I am sure there are tricky corner cases such as mmapped files that
also need to be accounted for.
Steve
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2014-09-12 17:35 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2014-08-22 15:31 path watcher John Haxby
2014-09-12 17:35 ` Steve Grubb
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.