From mboxrd@z Thu Jan  1 00:00:00 1970
From: Steve Grubb <sgrubb@redhat.com>
Subject: Re: File watching
Date: Tue, 20 Jun 2006 16:41:10 -0400
Message-ID: <200606201641.10978.sgrubb@redhat.com>
References: <4498360A.7090807@ornl.gov> <20060620203005.GB29481@zk3.dec.com>
Mime-Version: 1.0
Content-Type: text/plain;
  charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
Return-path: <linux-audit-bounces@redhat.com>
In-Reply-To: <20060620203005.GB29481@zk3.dec.com>
Content-Disposition: inline
List-Unsubscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/linux-audit>
List-Post: <mailto:linux-audit@redhat.com>
List-Help: <mailto:linux-audit-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=subscribe>
Sender: linux-audit-bounces@redhat.com
Errors-To: linux-audit-bounces@redhat.com
To: linux-audit@redhat.com
List-Id: linux-audit@redhat.com

On Tuesday 20 June 2006 16:30, Amy Griffis wrote:
> It would be nice if it were possible to further filter the open calls,
> by allowing the rule to specify certain flags like O_CREAT, O_RDONLY,
> O_WRONLY or O_RDWR. =A0That could do quite a bit to eliminate
> unwanted log data.
>
> What do others think, should we consider adding somthing like this?

Yes, this is what the "rwex" flags to -p of auditctl allowed us to do. Bu=
t we=20
also need to have a perm field that makes it easy to see what the request=
ed=20
perm was.

-Steve