Re: File watching
Hi Steve,
Steve wrote: [Tue Jun 20 2006, 01:53:14PM EDT]
I have audit set to monitor all system calls for a file. I see some
system calls for it, but I think some may be missing... If I create the
file using vi, I only see an open followed by a stat64. Shouldn't there
be a write of some type?
You don't see a record for write because write operates on an fd
rather than a pathname. The audit hooks that collect the information
used to match the 'inode' and 'path' filter fields are typically only
called when the syscall args specify a pathname.
The exception is the fchmod, fchown, fsetxattr and fremovexattr
syscalls. We added extra hooks there to satisfy CAPP requirements.
In order to support filtering by 'inode' or 'path' for read/write
calls, we could add audit_inode() hooks like we did for the f*
syscalls. But as Jonathan mentioned, most people don't want to audit
individual reads and writes, so no one has pursued adding that
capability.
With the current behavior, your only option is to audit all opens for
the file and examine the a1 field in the resulting records.
It would be nice if it were possible to further filter the open calls,
by allowing the rule to specify certain flags like O_CREAT, O_RDONLY,
O_WRONLY or O_RDWR. That could do quite a bit to eliminate
unwanted log data.
What do others think, should we consider adding somthing like this?
Amy