From: Amy Griffis <amy.griffis@hp.com>
To: Steve <m6x@ornl.gov>
Cc: linux-audit@redhat.com
Subject: Re: File watching
Date: Tue, 20 Jun 2006 16:30:05 -0400 [thread overview]
Message-ID: <20060620203005.GB29481@zk3.dec.com> (raw)
In-Reply-To: <4498360A.7090807@ornl.gov>
Hi Steve,
Steve wrote: [Tue Jun 20 2006, 01:53:14PM EDT]
> I have audit set to monitor all system calls for a file. I see some
> system calls for it, but I think some may be missing... If I create the
> file using vi, I only see an open followed by a stat64. Shouldn't there
> be a write of some type?
You don't see a record for write because write operates on an fd
rather than a pathname. The audit hooks that collect the information
used to match the 'inode' and 'path' filter fields are typically only
called when the syscall args specify a pathname.
The exception is the fchmod, fchown, fsetxattr and fremovexattr
syscalls. We added extra hooks there to satisfy CAPP requirements.
In order to support filtering by 'inode' or 'path' for read/write
calls, we could add audit_inode() hooks like we did for the f*
syscalls. But as Jonathan mentioned, most people don't want to audit
individual reads and writes, so no one has pursued adding that
capability.
With the current behavior, your only option is to audit all opens for
the file and examine the a1 field in the resulting records.
It would be nice if it were possible to further filter the open calls,
by allowing the rule to specify certain flags like O_CREAT, O_RDONLY,
O_WRONLY or O_RDWR. That could do quite a bit to eliminate
unwanted log data.
What do others think, should we consider adding somthing like this?
Amy
next prev parent reply other threads:[~2006-06-20 20:30 UTC|newest]
Thread overview: 13+ messages / expand[flat|nested] mbox.gz Atom feed top
2006-06-20 17:53 File watching Steve
2006-06-20 18:10 ` Jonathan Abbey
2006-06-20 18:22 ` Timothy R. Chavez
2006-06-20 18:32 ` Steve
2006-06-20 18:40 ` Timothy R. Chavez
2006-06-20 18:52 ` Steve
2006-06-20 18:55 ` Michael C Thompson
2006-06-20 19:08 ` Steve
2006-06-20 19:56 ` Valdis.Kletnieks
2006-06-20 18:52 ` Michael C Thompson
2006-06-20 20:30 ` Amy Griffis [this message]
2006-06-20 20:41 ` Steve Grubb
2006-06-20 21:06 ` Casey Schaufler
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20060620203005.GB29481@zk3.dec.com \
--to=amy.griffis@hp.com \
--cc=linux-audit@redhat.com \
--cc=m6x@ornl.gov \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox