From mboxrd@z Thu Jan  1 00:00:00 1970
From: Steve <m6x@ornl.gov>
Subject: Re: Bypassing audit's file watches
Date: Mon, 10 Jul 2006 07:32:26 -0400
Message-ID: <44B23ACA.10409@ornl.gov>
References: <44AE76A2.9050205@ornl.gov> <20060708020002.GA5350@dill.zko.hp.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: 7bit
Return-path: <linux-audit-bounces@redhat.com>
Received: from mx1.redhat.com (mx1.redhat.com [172.16.48.31])
	by int-mx1.corp.redhat.com (8.12.11.20060308/8.12.11) with ESMTP id
	k6ABWSDN016953
	for <linux-audit@redhat.com>; Mon, 10 Jul 2006 07:32:28 -0400
Received: from emroute1.ornl.gov (emroute1.ornl.gov [160.91.4.119])
	by mx1.redhat.com (8.12.11.20060308/8.12.11) with ESMTP id
	k6ABWRZh020718
	for <linux-audit@redhat.com>; Mon, 10 Jul 2006 07:32:27 -0400
Received: from emroute1.ornl.gov (localhost [127.0.0.1])
	by emroute1.ornl.gov (PMDF V6.2-1x9 #31038)
	with ESMTP id <0J2600K6AQQ1AI@emroute1.ornl.gov> for
	linux-audit@redhat.com; Mon, 10 Jul 2006 07:32:26 -0400 (EDT)
Received: from ORNLEXCHANGE.ornl.gov (ornlexchange1.ornl.gov [160.91.1.20])
	by emroute1.ornl.gov (PMDF V6.2-1x9 #31038)
	with ESMTP id <0J2600J5NQQ1RU@emroute1.ornl.gov> for
	linux-audit@redhat.com; Mon, 10 Jul 2006 07:32:25 -0400 (EDT)
In-reply-to: <20060708020002.GA5350@dill.zko.hp.com>
List-Unsubscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/linux-audit>
List-Post: <mailto:linux-audit@redhat.com>
List-Help: <mailto:linux-audit-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=subscribe>
Sender: linux-audit-bounces@redhat.com
Errors-To: linux-audit-bounces@redhat.com
To: Steve <mckinneysj@ornl.gov>, linux-audit@redhat.com
List-Id: linux-audit@redhat.com

Amy Griffis wrote:
> Steve wrote:  [Fri Jul 07 2006, 10:58:42AM EDT]
>> I have found that I can modify files that are being watched and audit 
>> not catch it (ie. no events are dispatched).  When monitoring a file for 
>> all system calls, I can:
>>
>> echo "" > /file/to/watch
>>
>> or
>>
>> cat some_file > /file/to/watch
>>
>> without generating audit events.
 >
> Are you seeing the open and not the write, or no records at all?
> If you are missing events for open() calls, please let us know since
> that would be a bug (versus a lacking feature).

I am not seeing the open() or any other syscall records.

Steve