file change tracking

All, Ok, let me preface by saying I'm an auditd novice. Ok, so I've basically gotten a watch on 3 files and a filter to never log mount syscalls, with the following rules: [root@XXXX audit]# auditctl -l AUDIT_LIST: exit,never syscall=mount AUDIT_WATCH_LIST: dev=104:2, path=/var/tmp/auditd_test/important, filterkey=important_file, perms=wa, valid=0 AUDIT_WATCH_LIST: dev=104:2, path=/var/tmp/auditd_test/shadow, filterkey=important_file, perms=wa, valid=0 AUDIT_WATCH_LIST: dev=104:2, path=/var/tmp/auditd_test/passwd, filterkey=important_file, perms=wa, valid=0 I'm only interested in when the file is written to or appended (hence the wa). However, I'm running into something that I was hoping I could get confirmed on this list. When I vi one of the files, and quit without writing content to the file, I get the following lines to my audit.log: type=SYSCALL msg=audit(1184082224.278:6396): arch=c000003e syscall=21 success=yes exit=0 a0=75d930 a1=2 a2=0 a3=1 items=1 pid=28804 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="vim" exe="/usr/bin/vim" type=FS_WATCH msg=audit(1184082224.278:6396): watch_inode=36339931 watch="passwd" filterkey=important_file perm=10 perm_mask=2 type=FS_INODE msg=audit(1184082224.278:6396): inode=36339931 inode_uid=0 inode_gid=0 inode_dev=68:02 inode_rdev=00:00 type=CWD msg=audit(1184082224.278:6396): cwd="/var/tmp/auditd_test" type=PATH msg=audit(1184082224.278:6396): name="passwd" flags=401 inode=36339931 dev=68:02 mode=0100644 ouid=0 ogid=0 rdev=00:00 (that's not the -i view so bear with the actual numbers). Could someone confirm for me what Vi is doing to the file that pops a perm_mask=2 (write) event? On a side note, when I do actually write to the file (via vi or redirecting text) I get 7 separate type=FS_WATCH....perm_mask=2 events. I can live with the multiples but anyone have any idea why I see that for one file write? Thanks in advance Felix (running audit-1.0.14-1.EL4 on a RHEL box with a 2.6.9-42.0.10.Elsmp kernel) If you are not the intended recipient of this message (including attachments), or if you have received this message in error, immediately notify us and delete it and any attachments. If you no longer wish to receive e-mail from Edward Jones, please send this request to messages(a)edwardjones.com. You must include the e-mail address that you wish not to receive e-mail communications. For important additional information related to this e-mail, visit www.edwardjones.com/US_email_disclosure