From mboxrd@z Thu Jan 1 00:00:00 1970 From: Steve Subject: Re: File watching Date: Tue, 20 Jun 2006 15:08:53 -0400 Message-ID: <449847C5.8080407@ornl.gov> References: <4498360A.7090807@ornl.gov> <20060620181024.GA31078@arlut.utexas.edu> <1150827779.19484.7.camel@localhost.localdomain> <44983F25.5010801@ornl.gov> <1150828819.19484.14.camel@localhost.localdomain> <449843F5.2080503@ornl.gov> <449844AD.4010804@us.ibm.com> Mime-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Return-path: Received: from mx3.redhat.com (mx3.redhat.com [172.16.48.32]) by int-mx1.corp.redhat.com (8.12.11.20060308/8.12.11) with ESMTP id k5KJ979l021968 for ; Tue, 20 Jun 2006 15:09:07 -0400 Received: from emroute2.ornl.gov (emroute2.ornl.gov [160.91.86.17]) by mx3.redhat.com (8.13.1/8.13.1) with ESMTP id k5KJ91jA008288 for ; Tue, 20 Jun 2006 15:09:01 -0400 Received: from emroute2.ornl.gov (localhost [127.0.0.1]) by emroute2.ornl.gov (PMDF V6.2-1x9 #31038) with ESMTP id <0J160044LAJ08Z@emroute2.ornl.gov> for linux-audit@redhat.com; Tue, 20 Jun 2006 15:09:00 -0400 (EDT) Received: from ORNLEXCHANGE.ornl.gov (ornlexchange2.ornl.gov [160.91.1.22]) by emroute2.ornl.gov (PMDF V6.2-1x9 #31038) with ESMTP id <0J16002A7AIZ35@emroute2.ornl.gov> for linux-audit@redhat.com; Tue, 20 Jun 2006 15:08:59 -0400 (EDT) In-reply-to: <449844AD.4010804@us.ibm.com> List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: linux-audit@redhat.com List-Id: linux-audit@redhat.com Michael C Thompson wrote: > Steve wrote: >>>> Is it possible to tell if a file was opened read/write or read-only >>>> from the events generated by audit? >> >>> The record does record syscall arguments, however, so perhaps you could >>> analyze a1= (I believe this is the argument that passes flags), and >>> figure out with what flags open() was called with. >> >> I performed an open on a file twice, the first is when the user had >> read/write privileges to the file and in the second the user only has >> read permissions. These were the a# values from the events, >> respectively: >> >> a0=bfe6ac25 a1=8000 a2=0 a3=8000 >> >> a0=bfd25b55 a1=8000 a2=0 a3=8000 >> >> I'm not sure how to analyze that... > > In both cases, a1 (the flags) is O_RDONLY (000 octal, 0x0 hex) and > O_LARGEFILE (0100000 octal, 0x8000 hex). > > So you were opened as read-only. You can't determine the level of access > the user has from the above, although you should be able to infer some > information about it form the entire record. > > Mike > The file is owned by root and the group for the file is root. The permissions are 664. Here is the whole record for root accessing the file audit(1150830257.233:250): arch=40000003 syscall=5 success=yes exit=3 a0=9a62398 a1=8000 a2=0 a3=8000 items=1 ppid=23750 pid=25063 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 comm="vi" exe="/bin/vi" subj=user_u:system_r:unconfined_t:s0 cwd="/home/m6x/src/iitds/sensor/plugins" item=0 name="/tmp/test.c" inode=5358299 dev=03:02 mode=0100664 ouid=0 ogid=0 rdev=00:00 obj=user_u:object_r:tmp_t:s0 and for the normal user: audit(1150830316.688:251): arch=40000003 syscall=5 success=yes exit=3 a0=8669560 a1=8000 a2=0 a3=8000 items=1 ppid=24750 pid=25069 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=pts3 comm="vim" exe="/usr/bin/vim" subj=user_u:system_r:unconfined_t:s0 cwd="/home/m6x" item=0 name="/tmp/test.c" inode=5358299 dev=03:02 mode=0100664 ouid=0 ogid=0 rdev=00:00 obj=user_u:object_r:tmp_t:s0 I am not sure why it opens the file as read-only when root opens it... Steve