On Fri, 2006-07-07 at 22:00 -0400, Amy Griffis wrote:
<snip>
As Tim mentioned, the idea is that to determine if a file is modified,
you would filter for open() calls with either the O_RDWR or O_WRONLY
flag. This is pretty unwieldy with the current feature set since you
would need a separate rule for every possible combination of flags
that includes O_RDWR or O_WRONLY. I really think we need to enhance
the filtering options available for open() calls, since trying to
audit the actual modifications is much more difficult.
If you are missing events for open() calls, please let us know since
that would be a bug (versus a lacking feature).
Thanks for testing.
Amy
I think this is a bug. We see audit records for a failed attempt at
writing a file (e.g. chmod -w foo, echo "bar" > foo) via redirection,
but not otherwise.
-tim