Hello,
We have an internal group auditing updates to files but who would like
to be able to monitor the actual modification rather than the possible
intent to modify.
The example they gave is that some program opens a file
O_WRONLY|O_APPEND but in most cases it does not subsequently write to
the file. For them, the usual auditctl -p path -w wa causes lots of
false positives.
Historically, I know, that -w wa is triggered by the open(2) flags
rather than actual modifications because "[t]he read & write syscalls
are omitted from this set since they would overwhelm the logs." Reading
this again now, it looks a little specious as it seems quite easy to
overwhelm the logs anyway.
Is there any reason why a file watcher should not use the fsnotify
FS_ACCESS/MODIFY/ATTRIB masks before I go haring off to try to implement
that?
jch