Re: File watching
Michael C Thompson wrote:
Steve wrote:
>>> Is it possible to tell if a file was opened read/write or read-only
>>> from the events generated by audit?
>
>> The record does record syscall arguments, however, so perhaps you could
>> analyze a1= (I believe this is the argument that passes flags), and
>> figure out with what flags open() was called with.
>
> I performed an open on a file twice, the first is when the user had
> read/write privileges to the file and in the second the user only has
> read permissions. These were the a# values from the events,
> respectively:
>
> a0=bfe6ac25 a1=8000 a2=0 a3=8000
>
> a0=bfd25b55 a1=8000 a2=0 a3=8000
>
> I'm not sure how to analyze that...
In both cases, a1 (the flags) is O_RDONLY (000 octal, 0x0 hex) and
O_LARGEFILE (0100000 octal, 0x8000 hex).
So you were opened as read-only. You can't determine the level of access
the user has from the above, although you should be able to infer some
information about it form the entire record.
Mike
The file is owned by root and the group for the file is root. The
permissions are 664.
Here is the whole record for root accessing the file
audit(1150830257.233:250): arch=40000003 syscall=5 success=yes exit=3
a0=9a62398 a1=8000 a2=0 a3=8000 items=1 ppid=23750 pid=25063 auid=500
uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1
comm="vi" exe="/bin/vi" subj=user_u:system_r:unconfined_t:s0
cwd="/home/m6x/src/iitds/sensor/plugins" item=0 name="/tmp/test.c"
inode=5358299 dev=03:02 mode=0100664 ouid=0 ogid=0 rdev=00:00
obj=user_u:object_r:tmp_t:s0
and for the normal user:
audit(1150830316.688:251): arch=40000003 syscall=5 success=yes exit=3
a0=8669560 a1=8000 a2=0 a3=8000 items=1 ppid=24750 pid=25069 auid=500
uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500
tty=pts3 comm="vim" exe="/usr/bin/vim"
subj=user_u:system_r:unconfined_t:s0 cwd="/home/m6x" item=0
name="/tmp/test.c" inode=5358299 dev=03:02 mode=0100664 ouid=0 ogid=0
rdev=00:00 obj=user_u:object_r:tmp_t:s0
I am not sure why it opens the file as read-only when root opens it...
Steve