Re: File watching
On Tue, 2006-06-20 at 13:10 -0500, Jonathan Abbey wrote:
On Tue, Jun 20, 2006 at 01:53:14PM -0400, Steve wrote:
| I have audit set to monitor all system calls for a file. I see some
| system calls for it, but I think some may be missing... If I create the
| file using vi, I only see an open followed by a stat64. Shouldn't there
| be a write of some type? stat and open can't write to a file, can they?
Generally (and I'm speaking from my experience with Snare, here), one
does not attempt to audit the actual read and write syscalls. Mainly
because there are far, far too many of them, and you need their
performance to be as high as conceivably possible.
I think it has more to do with security relevancy than anything. Audit
development has primarily been driven by CAPP and LSPP requirements for
the last couple of years.
-tim
Instead, you audit the file open, and make a note of whether the file
was opened read-only, or for read/write. If it was opened for
read/write, one presumes that it was written to.
Jon
| Thanks,
| Steve
--
Linux-audit mailing list
Linux-audit(a)redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit