I’m running CentOS-6.5-i386-minimal.

 

I recently used auditd to setup a watch on a specific file (-w /path/to/my/file -p warx), but found it difficult to distinguish system calls that were modifying the file vs. reading from the file when using ausearch/aureport.

 

In response to that, I separated out the watches by keys:

 

-w /patch/to/my/file -p wa thisisawrite

-w /path/to/my/file -p r thisisaread

 

And then ran both aureport -k and aureport -f to join the keys to the system calls by event number.

 

Am I wholly approaching this the wrong way, or is there an easier way to distinguish between a syscall that reads from a file vs. writes to a file?

 

Assuming this is the correct approach, would there then be a benefit to adding the key to the aureport -f output? I find it awkward to have to combine the two commands to get the necessary information.

 

Regards,

Jon Smith