Re: File watching

On Tue, Jun 20, 2006 at 01:53:14PM -0400, Steve wrote: | I have audit set to monitor all system calls for a file. I see some | system calls for it, but I think some may be missing... If I create the | file using vi, I only see an open followed by a stat64. Shouldn't there | be a write of some type? stat and open can't write to a file, can they? Generally (and I'm speaking from my experience with Snare, here), one does not attempt to audit the actual read and write syscalls. Mainly because there are far, far too many of them, and you need their performance to be as high as conceivably possible. Instead, you audit the file open, and make a note of whether the file was opened read-only, or for read/write. If it was opened for read/write, one presumes that it was written to. Jon | Thanks, | Steve -- ------------------------------------------------------------------------------- Jonathan Abbey jonabbey(a)arlut.utexas.edu Applied Research Laboratories The University of Texas at Austin GPG Key: 71767586 at keyserver pgp.mit.edu, http://www.ganymeta.org/workkey.gpg