From: Steve <m6x@ornl.gov>
To: linux-audit@redhat.com
Subject: Re: File watching
Date: Tue, 20 Jun 2006 15:08:53 -0400 [thread overview]
Message-ID: <449847C5.8080407@ornl.gov> (raw)
In-Reply-To: <449844AD.4010804@us.ibm.com>
Michael C Thompson wrote:
> Steve wrote:
>>>> Is it possible to tell if a file was opened read/write or read-only
>>>> from the events generated by audit?
>>
>>> The record does record syscall arguments, however, so perhaps you could
>>> analyze a1= (I believe this is the argument that passes flags), and
>>> figure out with what flags open() was called with.
>>
>> I performed an open on a file twice, the first is when the user had
>> read/write privileges to the file and in the second the user only has
>> read permissions. These were the a# values from the events,
>> respectively:
>>
>> a0=bfe6ac25 a1=8000 a2=0 a3=8000
>>
>> a0=bfd25b55 a1=8000 a2=0 a3=8000
>>
>> I'm not sure how to analyze that...
>
> In both cases, a1 (the flags) is O_RDONLY (000 octal, 0x0 hex) and
> O_LARGEFILE (0100000 octal, 0x8000 hex).
>
> So you were opened as read-only. You can't determine the level of access
> the user has from the above, although you should be able to infer some
> information about it form the entire record.
>
> Mike
>
The file is owned by root and the group for the file is root. The
permissions are 664.
Here is the whole record for root accessing the file
audit(1150830257.233:250): arch=40000003 syscall=5 success=yes exit=3
a0=9a62398 a1=8000 a2=0 a3=8000 items=1 ppid=23750 pid=25063 auid=500
uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1
comm="vi" exe="/bin/vi" subj=user_u:system_r:unconfined_t:s0
cwd="/home/m6x/src/iitds/sensor/plugins" item=0 name="/tmp/test.c"
inode=5358299 dev=03:02 mode=0100664 ouid=0 ogid=0 rdev=00:00
obj=user_u:object_r:tmp_t:s0
and for the normal user:
audit(1150830316.688:251): arch=40000003 syscall=5 success=yes exit=3
a0=8669560 a1=8000 a2=0 a3=8000 items=1 ppid=24750 pid=25069 auid=500
uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500
tty=pts3 comm="vim" exe="/usr/bin/vim"
subj=user_u:system_r:unconfined_t:s0 cwd="/home/m6x" item=0
name="/tmp/test.c" inode=5358299 dev=03:02 mode=0100664 ouid=0 ogid=0
rdev=00:00 obj=user_u:object_r:tmp_t:s0
I am not sure why it opens the file as read-only when root opens it...
Steve
next prev parent reply other threads:[~2006-06-20 19:09 UTC|newest]
Thread overview: 13+ messages / expand[flat|nested] mbox.gz Atom feed top
2006-06-20 17:53 File watching Steve
2006-06-20 18:10 ` Jonathan Abbey
2006-06-20 18:22 ` Timothy R. Chavez
2006-06-20 18:32 ` Steve
2006-06-20 18:40 ` Timothy R. Chavez
2006-06-20 18:52 ` Steve
2006-06-20 18:55 ` Michael C Thompson
2006-06-20 19:08 ` Steve [this message]
2006-06-20 19:56 ` Valdis.Kletnieks
2006-06-20 18:52 ` Michael C Thompson
2006-06-20 20:30 ` Amy Griffis
2006-06-20 20:41 ` Steve Grubb
2006-06-20 21:06 ` Casey Schaufler
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=449847C5.8080407@ornl.gov \
--to=m6x@ornl.gov \
--cc=linux-audit@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox