From mboxrd@z Thu Jan  1 00:00:00 1970
From: "Timothy R. Chavez" <tinytim@us.ibm.com>
Subject: Re: File watching
Date: Tue, 20 Jun 2006 13:40:18 -0500
Message-ID: <1150828819.19484.14.camel@localhost.localdomain>
References: <4498360A.7090807@ornl.gov>
	<20060620181024.GA31078@arlut.utexas.edu>
	<1150827779.19484.7.camel@localhost.localdomain>
	<44983F25.5010801@ornl.gov>
Mime-Version: 1.0
Content-Type: text/plain
Content-Transfer-Encoding: 7bit
Return-path: <linux-audit-bounces@redhat.com>
Received: from mx1.redhat.com (mx1.redhat.com [172.16.48.31])
	by int-mx1.corp.redhat.com (8.12.11.20060308/8.12.11) with ESMTP id
	k5KIeS2c013595
	for <linux-audit@redhat.com>; Tue, 20 Jun 2006 14:40:28 -0400
Received: from e32.co.us.ibm.com (e32.co.us.ibm.com [32.97.110.150])
	by mx1.redhat.com (8.12.11.20060308/8.12.11) with ESMTP id
	k5KIeQgN023370
	for <linux-audit@redhat.com>; Tue, 20 Jun 2006 14:40:26 -0400
Received: from d03relay04.boulder.ibm.com (d03relay04.boulder.ibm.com
	[9.17.195.106])
	by e32.co.us.ibm.com (8.12.11.20060308/8.12.11) with ESMTP id
	k5KIeLNA016950
	(version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=FAIL)
	for <linux-audit@redhat.com>; Tue, 20 Jun 2006 14:40:21 -0400
Received: from d03av01.boulder.ibm.com (d03av01.boulder.ibm.com [9.17.195.167])
	by d03relay04.boulder.ibm.com (8.13.6/NCO/VER7.0) with ESMTP id
	k5KIeU1M118984
	(version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO)
	for <linux-audit@redhat.com>; Tue, 20 Jun 2006 12:40:30 -0600
Received: from d03av01.boulder.ibm.com (loopback [127.0.0.1])
	by d03av01.boulder.ibm.com (8.12.11.20060308/8.13.3) with ESMTP id
	k5KIeKtW020209
	for <linux-audit@redhat.com>; Tue, 20 Jun 2006 12:40:20 -0600
In-Reply-To: <44983F25.5010801@ornl.gov>
List-Unsubscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/linux-audit>
List-Post: <mailto:linux-audit@redhat.com>
List-Help: <mailto:linux-audit-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=subscribe>
Sender: linux-audit-bounces@redhat.com
Errors-To: linux-audit-bounces@redhat.com
To: Steve <m6x@ornl.gov>
Cc: linux-audit@redhat.com
List-Id: linux-audit@redhat.com

On Tue, 2006-06-20 at 14:32 -0400, Steve wrote:
> >> Instead, you audit the file open, and make a note of whether the file
> >> was opened read-only, or for read/write.  If it was opened for
> >> read/write, one presumes that it was written to.
> 
> Is it possible to tell if a file was opened read/write or read-only from 
> the events generated by audit?
> 
> Thanks,
> Steve

Hi Steve,

You should be able to ascertain this information from the open() audit
record.  I thought at one time the flags were recorded in the record,
but perhaps no longer (or maybe my memory does not serve me well :)).
The record does record syscall arguments, however, so perhaps you could
analyze a1= (I believe this is the argument that passes flags), and
figure out with what flags open() was called with.  Admittedly, I'm not
so knowledgeable these days as to what is actually being reported in the
audit log.

-tim