Re: File watching
On Tuesday 20 June 2006 16:30, Amy Griffis wrote:
It would be nice if it were possible to further filter the open
calls,
by allowing the rule to specify certain flags like O_CREAT, O_RDONLY,
O_WRONLY or O_RDWR. That could do quite a bit to eliminate
unwanted log data.
What do others think, should we consider adding somthing like this?
Yes, this is what the "rwex" flags to -p of auditctl allowed us to do. But we
also need to have a perm field that makes it easy to see what the requested
perm was.
-Steve