* file watch: separating file reads and writes
@ 2014-07-09 4:00 Jon Smith
2014-07-10 20:24 ` Steve Grubb
0 siblings, 1 reply; 3+ messages in thread
From: Jon Smith @ 2014-07-09 4:00 UTC (permalink / raw)
To: linux-audit@redhat.com
[-- Attachment #1.1: Type: text/plain, Size: 891 bytes --]
I'm running CentOS-6.5-i386-minimal.
I recently used auditd to setup a watch on a specific file (-w /path/to/my/file -p warx), but found it difficult to distinguish system calls that were modifying the file vs. reading from the file when using ausearch/aureport.
In response to that, I separated out the watches by keys:
-w /patch/to/my/file -p wa thisisawrite
-w /path/to/my/file -p r thisisaread
And then ran both aureport -k and aureport -f to join the keys to the system calls by event number.
Am I wholly approaching this the wrong way, or is there an easier way to distinguish between a syscall that reads from a file vs. writes to a file?
Assuming this is the correct approach, would there then be a benefit to adding the key to the aureport -f output? I find it awkward to have to combine the two commands to get the necessary information.
Regards,
Jon Smith
[-- Attachment #1.2: Type: text/html, Size: 3107 bytes --]
[-- Attachment #2: Type: text/plain, Size: 0 bytes --]
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: file watch: separating file reads and writes
2014-07-09 4:00 file watch: separating file reads and writes Jon Smith
@ 2014-07-10 20:24 ` Steve Grubb
2014-07-22 2:19 ` Jon Smith
0 siblings, 1 reply; 3+ messages in thread
From: Steve Grubb @ 2014-07-10 20:24 UTC (permalink / raw)
To: linux-audit
On Wednesday, July 09, 2014 04:00:18 AM Jon Smith wrote:
> I recently used auditd to setup a watch on a specific file (-w
> /path/to/my/file -p warx), but found it difficult to distinguish system
> calls that were modifying the file vs. reading from the file when using
> ausearch/aureport.
>
> In response to that, I separated out the watches by keys:
>
> -w /patch/to/my/file -p wa thisisawrite
> -w /path/to/my/file -p r thisisaread
This sounds like the correct way to do it.
> And then ran both aureport -k and aureport -f to join the keys to the system
> calls by event number.
Why not use ausearch -k? You can also give a partial key name since partial
matching is the default. You could use: ausearch --start today -k thisisa
> Am I wholly approaching this the wrong way, or is there an easier way to
> distinguish between a syscall that reads from a file vs. writes to a file?
Well, what you are getting is the requested permissions, rather than actual
use of the permissions. I think it can be assumed that if an app opens a file
for write, it will eventually get around to that. But not always.
> Assuming this is the correct approach, would there then be a benefit to
> adding the key to the aureport -f output? I find it awkward to have to
> combine the two commands to get the necessary information.
No one has asked for that so far. There is one quirk about keys, you can have
multiple keys for the same event. So, that could be a bit of text if you have
several. The idea of aureport was to have a utility that can extract, total,
and sort properties of the event.
-Steve
^ permalink raw reply [flat|nested] 3+ messages in thread
* RE: file watch: separating file reads and writes
2014-07-10 20:24 ` Steve Grubb
@ 2014-07-22 2:19 ` Jon Smith
0 siblings, 0 replies; 3+ messages in thread
From: Jon Smith @ 2014-07-22 2:19 UTC (permalink / raw)
To: Steve Grubb, linux-audit@redhat.com
Steve,
I just wanted to thank you for your reply. I totally overlooked the ability to pipe ausearch output to aureport, so the end result looked like this:
ausearch -k thisisawrite | aureport -f
And that solved my problem.
Thank you very much for your time.
Regards,
Jon Smith
-----Original Message-----
From: Steve Grubb [mailto:sgrubb@redhat.com]
Sent: Thursday, July 10, 2014 1:25 PM
To: linux-audit@redhat.com
Cc: Jon Smith
Subject: Re: file watch: separating file reads and writes
On Wednesday, July 09, 2014 04:00:18 AM Jon Smith wrote:
> I recently used auditd to setup a watch on a specific file (-w
> /path/to/my/file -p warx), but found it difficult to distinguish
> system calls that were modifying the file vs. reading from the file
> when using ausearch/aureport.
>
> In response to that, I separated out the watches by keys:
>
> -w /patch/to/my/file -p wa thisisawrite -w /path/to/my/file -p r
> thisisaread
This sounds like the correct way to do it.
> And then ran both aureport -k and aureport -f to join the keys to the
> system calls by event number.
Why not use ausearch -k? You can also give a partial key name since partial matching is the default. You could use: ausearch --start today -k thisisa
> Am I wholly approaching this the wrong way, or is there an easier way to
> distinguish between a syscall that reads from a file vs. writes to a file?
Well, what you are getting is the requested permissions, rather than actual
use of the permissions. I think it can be assumed that if an app opens a file
for write, it will eventually get around to that. But not always.
> Assuming this is the correct approach, would there then be a benefit to
> adding the key to the aureport -f output? I find it awkward to have to
> combine the two commands to get the necessary information.
No one has asked for that so far. There is one quirk about keys, you can have
multiple keys for the same event. So, that could be a bit of text if you have
several. The idea of aureport was to have a utility that can extract, total,
and sort properties of the event.
-Steve
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2014-07-22 2:20 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2014-07-09 4:00 file watch: separating file reads and writes Jon Smith
2014-07-10 20:24 ` Steve Grubb
2014-07-22 2:19 ` Jon Smith
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox