Re: File watching
> Is it possible to tell if a file was opened read/write or
read-only from
> the events generated by audit?
The record does record syscall arguments, however, so perhaps you
could
analyze a1= (I believe this is the argument that passes flags), and
figure out with what flags open() was called with.
I performed an open on a file twice, the first is when the user had
read/write privileges to the file and in the second the user only has
read permissions. These were the a# values from the events, respectively:
a0=bfe6ac25 a1=8000 a2=0 a3=8000
a0=bfd25b55 a1=8000 a2=0 a3=8000
I'm not sure how to analyze that...