From mboxrd@z Thu Jan  1 00:00:00 1970
From: Amy Griffis <amy.griffis@hp.com>
Subject: Re: file watch and stat
Date: Tue, 3 Oct 2006 11:43:15 -0400
Message-ID: <20061003154315.GB17635@fc.hp.com>
References: <45216583.6060405@us.ibm.com> <20061002201116.GA17635@fc.hp.com>
	<45218309.7050900@us.ibm.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=utf-8
Return-path: <linux-audit-bounces@redhat.com>
Received: from mx3.redhat.com (mx3.redhat.com [172.16.48.32])
	by int-mx1.corp.redhat.com (8.12.11.20060308/8.12.11) with ESMTP id
	k93FhisD026075
	for <linux-audit@redhat.com>; Tue, 3 Oct 2006 11:43:44 -0400
Received: from atlrel7.hp.com (atlrel7.hp.com [156.153.255.213])
	by mx3.redhat.com (8.13.1/8.13.1) with ESMTP id k93Fhcio008363
	for <linux-audit@redhat.com>; Tue, 3 Oct 2006 11:43:39 -0400
Received: from smtp1.fc.hp.com (smtp.fc.hp.com [15.15.136.127])
	by atlrel7.hp.com (Postfix) with ESMTP id 2729C36A05
	for <linux-audit@redhat.com>; Tue,  3 Oct 2006 11:43:28 -0400 (EDT)
Received: from ldl.fc.hp.com (ldl.fc.hp.com [15.11.146.30])
	by smtp1.fc.hp.com (Postfix) with ESMTP id E94E596CE8
	for <linux-audit@redhat.com>; Tue,  3 Oct 2006 15:43:27 +0000 (UTC)
Received: from localhost (ldl.lart [127.0.0.1])
	by ldl.fc.hp.com (Postfix) with ESMTP id 24CFF13415B
	for <linux-audit@redhat.com>; Tue,  3 Oct 2006 09:43:27 -0600 (MDT)
Received: from ldl.fc.hp.com ([127.0.0.1])
	by localhost (ldl [127.0.0.1]) (amavisd-new, port 10024) with ESMTP
	id 14633-08 for <linux-audit@redhat.com>;
	Tue, 3 Oct 2006 09:43:23 -0600 (MDT)
Content-Disposition: inline
In-Reply-To: <45218309.7050900@us.ibm.com>
List-Unsubscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/linux-audit>
List-Post: <mailto:linux-audit@redhat.com>
List-Help: <mailto:linux-audit-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=subscribe>
Sender: linux-audit-bounces@redhat.com
Errors-To: linux-audit-bounces@redhat.com
To: linux-audit@redhat.com
List-Id: linux-audit@redhat.com

Michael C Thompson wrote:  [Mon Oct 02 2006, 05:22:17PM EDT]
> Amy Griffis wrote:
> >Michael C Thompson wrote:  [Mon Oct 02 2006, 03:16:19PM EDT]
> >>Hey all,
> >>
> >>I'm trying to figure out why having a watch a on file is not generating 
> >>a record when I stat said file.
> >>
> >>Put a watch on a file, and do stat file.
> >>
> >>No record... I'm not sure why this is happening, isn't getting such 
> >>information considered security relevant?
> >
> >What is your audit rule?
> 
> auditctl -w /path/to/file

You aren't seeing a record because stat is not included in any of the
syscall classes.  I believe it was omitted because it has a tendency
to fill up audit logs.

You can audit this event by specifying the syscall directly, e.g.

auditctl -a exit,always -S stat -F path=/path/to/file

Regards,
Amy