From mboxrd@z Thu Jan  1 00:00:00 1970
From: John Haxby <john.haxby@oracle.com>
Subject: path watcher
Date: Fri, 22 Aug 2014 16:31:24 +0100
Message-ID: <53F7624C.2000903@oracle.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Return-path: <linux-audit-bounces@redhat.com>
Received: from mx1.redhat.com (ext-mx12.extmail.prod.ext.phx2.redhat.com
	[10.5.110.17])
	by int-mx11.intmail.prod.int.phx2.redhat.com (8.14.4/8.14.4) with ESMTP
	id s7MFVWsw025385
	for <linux-audit@redhat.com>; Fri, 22 Aug 2014 11:31:32 -0400
Received: from userp1040.oracle.com (userp1040.oracle.com [156.151.31.81])
	by mx1.redhat.com (8.14.4/8.14.4) with ESMTP id s7MFVTDu019045
	(version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=FAIL)
	for <linux-audit@redhat.com>; Fri, 22 Aug 2014 11:31:30 -0400
Received: from acsinet22.oracle.com (acsinet22.oracle.com [141.146.126.238])
	by userp1040.oracle.com (Sentrion-MTA-4.3.2/Sentrion-MTA-4.3.2) with
	ESMTP id s7MFVSm4008770
	(version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK)
	for <linux-audit@redhat.com>; Fri, 22 Aug 2014 15:31:29 GMT
Received: from userz7021.oracle.com (userz7021.oracle.com [156.151.31.85])
	by acsinet22.oracle.com (8.14.4+Sun/8.14.4) with ESMTP id
	s7MFVRnv028770
	(version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=FAIL)
	for <linux-audit@redhat.com>; Fri, 22 Aug 2014 15:31:27 GMT
Received: from abhmp0009.oracle.com (abhmp0009.oracle.com [141.146.116.15])
	by userz7021.oracle.com (8.14.4+Sun/8.14.4) with ESMTP id
	s7MFVQeK015117
	for <linux-audit@redhat.com>; Fri, 22 Aug 2014 15:31:27 GMT
List-Unsubscribe: <https://www.redhat.com/mailman/options/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/linux-audit>
List-Post: <mailto:linux-audit@redhat.com>
List-Help: <mailto:linux-audit-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=subscribe>
Sender: linux-audit-bounces@redhat.com
Errors-To: linux-audit-bounces@redhat.com
To: linux-audit@redhat.com
List-Id: linux-audit@redhat.com

Hello,

We have an internal group auditing updates to files but who would like
to be able to monitor the actual modification rather than the possible
intent to modify.

The example they gave is that some program opens a file
O_WRONLY|O_APPEND but in most cases it does not subsequently write to
the file.  For them, the usual auditctl -p path -w wa causes lots of
false positives.

Historically, I know, that -w wa is triggered by the open(2) flags
rather than actual modifications because "[t]he read & write syscalls
are omitted from this set since they would overwhelm the logs."  Reading
this again now, it looks a little specious as it seems quite easy to
overwhelm the logs anyway.

Is there any reason why a file watcher should not use the fsnotify
FS_ACCESS/MODIFY/ATTRIB masks before I go haring off to try to implement
that?

jch