* file watch and stat
@ 2006-10-02 19:16 Michael C Thompson
2006-10-02 20:11 ` Amy Griffis
0 siblings, 1 reply; 4+ messages in thread
From: Michael C Thompson @ 2006-10-02 19:16 UTC (permalink / raw)
To: Linux Audit
Hey all,
I'm trying to figure out why having a watch a on file is not generating
a record when I stat said file.
Put a watch on a file, and do stat file.
No record... I'm not sure why this is happening, isn't getting such
information considered security relevant?
Mike
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: file watch and stat
2006-10-02 19:16 file watch and stat Michael C Thompson
@ 2006-10-02 20:11 ` Amy Griffis
2006-10-02 21:22 ` Michael C Thompson
0 siblings, 1 reply; 4+ messages in thread
From: Amy Griffis @ 2006-10-02 20:11 UTC (permalink / raw)
To: linux-audit
Michael C Thompson wrote: [Mon Oct 02 2006, 03:16:19PM EDT]
> Hey all,
>
> I'm trying to figure out why having a watch a on file is not generating
> a record when I stat said file.
>
> Put a watch on a file, and do stat file.
>
> No record... I'm not sure why this is happening, isn't getting such
> information considered security relevant?
What is your audit rule?
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: file watch and stat
2006-10-02 20:11 ` Amy Griffis
@ 2006-10-02 21:22 ` Michael C Thompson
2006-10-03 15:43 ` Amy Griffis
0 siblings, 1 reply; 4+ messages in thread
From: Michael C Thompson @ 2006-10-02 21:22 UTC (permalink / raw)
To: linux-audit
Amy Griffis wrote:
> Michael C Thompson wrote: [Mon Oct 02 2006, 03:16:19PM EDT]
>> Hey all,
>>
>> I'm trying to figure out why having a watch a on file is not generating
>> a record when I stat said file.
>>
>> Put a watch on a file, and do stat file.
>>
>> No record... I'm not sure why this is happening, isn't getting such
>> information considered security relevant?
>
> What is your audit rule?
auditctl -w /path/to/file
Mike
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: file watch and stat
2006-10-02 21:22 ` Michael C Thompson
@ 2006-10-03 15:43 ` Amy Griffis
0 siblings, 0 replies; 4+ messages in thread
From: Amy Griffis @ 2006-10-03 15:43 UTC (permalink / raw)
To: linux-audit
Michael C Thompson wrote: [Mon Oct 02 2006, 05:22:17PM EDT]
> Amy Griffis wrote:
> >Michael C Thompson wrote: [Mon Oct 02 2006, 03:16:19PM EDT]
> >>Hey all,
> >>
> >>I'm trying to figure out why having a watch a on file is not generating
> >>a record when I stat said file.
> >>
> >>Put a watch on a file, and do stat file.
> >>
> >>No record... I'm not sure why this is happening, isn't getting such
> >>information considered security relevant?
> >
> >What is your audit rule?
>
> auditctl -w /path/to/file
You aren't seeing a record because stat is not included in any of the
syscall classes. I believe it was omitted because it has a tendency
to fill up audit logs.
You can audit this event by specifying the syscall directly, e.g.
auditctl -a exit,always -S stat -F path=/path/to/file
Regards,
Amy
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2006-10-03 15:43 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2006-10-02 19:16 file watch and stat Michael C Thompson
2006-10-02 20:11 ` Amy Griffis
2006-10-02 21:22 ` Michael C Thompson
2006-10-03 15:43 ` Amy Griffis
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox