Steve wrote:
>> Is it possible to tell if a file was opened read/write or
read-only
>> from the events generated by audit?
> The record does record syscall arguments, however, so perhaps you could
> analyze a1= (I believe this is the argument that passes flags), and
> figure out with what flags open() was called with.
I performed an open on a file twice, the first is when the user had
read/write privileges to the file and in the second the user only has
read permissions. These were the a# values from the events, respectively:
a0=bfe6ac25 a1=8000 a2=0 a3=8000
a0=bfd25b55 a1=8000 a2=0 a3=8000
I'm not sure how to analyze that...
In both cases, a1 (the flags) is O_RDONLY (000 octal, 0x0 hex) and
O_LARGEFILE (0100000 octal, 0x8000 hex).
So you were opened as read-only. You can't determine the level of access
the user has from the above, although you should be able to infer some
information about it form the entire record.
Mike