From mboxrd@z Thu Jan 1 00:00:00 1970 From: Michael C Thompson Subject: Re: File watching Date: Tue, 20 Jun 2006 13:52:48 -0500 Message-ID: <44984400.7020206@us.ibm.com> References: <4498360A.7090807@ornl.gov> <20060620181024.GA31078@arlut.utexas.edu> <1150827779.19484.7.camel@localhost.localdomain> <44983F25.5010801@ornl.gov> <1150828819.19484.14.camel@localhost.localdomain> Mime-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Return-path: Received: from mx1.redhat.com (mx1.redhat.com [172.16.48.31]) by int-mx1.corp.redhat.com (8.12.11.20060308/8.12.11) with ESMTP id k5KIr8SU017113 for ; Tue, 20 Jun 2006 14:53:08 -0400 Received: from e1.ny.us.ibm.com (e1.ny.us.ibm.com [32.97.182.141]) by mx1.redhat.com (8.12.11.20060308/8.12.11) with ESMTP id k5KIr6na028107 for ; Tue, 20 Jun 2006 14:53:06 -0400 Received: from d01relay02.pok.ibm.com (d01relay02.pok.ibm.com [9.56.227.234]) by e1.ny.us.ibm.com (8.12.11.20060308/8.12.11) with ESMTP id k5KIqxDi010186 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=FAIL) for ; Tue, 20 Jun 2006 14:52:59 -0400 Received: from d01av03.pok.ibm.com (d01av03.pok.ibm.com [9.56.224.217]) by d01relay02.pok.ibm.com (8.13.6/NCO/VER7.0) with ESMTP id k5KIqxhd283704 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO) for ; Tue, 20 Jun 2006 14:52:59 -0400 Received: from d01av03.pok.ibm.com (loopback [127.0.0.1]) by d01av03.pok.ibm.com (8.12.11.20060308/8.13.3) with ESMTP id k5KIqxJK031246 for ; Tue, 20 Jun 2006 14:52:59 -0400 In-Reply-To: <1150828819.19484.14.camel@localhost.localdomain> List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: "Timothy R. Chavez" Cc: linux-audit@redhat.com List-Id: linux-audit@redhat.com Timothy R. Chavez wrote: > On Tue, 2006-06-20 at 14:32 -0400, Steve wrote: >>>> Instead, you audit the file open, and make a note of whether the file >>>> was opened read-only, or for read/write. If it was opened for >>>> read/write, one presumes that it was written to. >> Is it possible to tell if a file was opened read/write or read-only from >> the events generated by audit? >> >> Thanks, >> Steve > > Hi Steve, > > You should be able to ascertain this information from the open() audit > record. I thought at one time the flags were recorded in the record, > but perhaps no longer (or maybe my memory does not serve me well :)). > The record does record syscall arguments, however, so perhaps you could > analyze a1= (I believe this is the argument that passes flags), and > figure out with what flags open() was called with. Admittedly, I'm not > so knowledgeable these days as to what is actually being reported in the > audit log. Tim, You are correct, the associated meaning for a1 with the open syscall is flags [ http://www.linux-m32r.org/lxr/http/source/fs/open.c#L1100 ]. In the following example open() syscall record, you can see a1 is 0x8000. type=SYSCALL msg=audit(1150567434.940:1386): arch=40000003 syscall=5 success=yes exit=3 a0=93bd6e0 a1=8241 a2=1b6 a3=8241 items=2 ppid=2106 pid=2108 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 comm="bash" exe="/bin/bash" subj=root:staff_r:staff_t:s0-s15:c0.c255 a0 -- pointer, not useful s1 -- the flags used for creation, in this case 0x8241 -> O_WRONLY | O_CREAT | O_TRUNC | O_LARGEFILE a2 -- the mode, in this case 0x1b6 -> 0666 http://www.linux-m32r.org/lxr/http/source/include/asm-generic/fcntl.h#L7 Can you guess what simple shell command I used to get this log? :P Thanks, Mike