file watch and stat - Linux-audit - Linux-Audit List Archives

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

2004

file watch and stat

Audit-1.0.14

[PATCH 0/1] NetLabel audit fixup

Michael C Thompson

Monday, 2 October 2006 Mon, 2 Oct '06

2:16 p.m.

Hey all, I'm trying to figure out why having a watch a on file is not generating a record when I stat said file. Put a watch on a file, and do stat file. No record... I'm not sure why this is happening, isn't getting such information considered security relevant? Mike

Reply

Show replies by date

Amy Griffis

Monday, 2 October Mon, 2 Oct

3:11 p.m.

Michael C Thompson wrote: [Mon Oct 02 2006, 03:16:19PM EDT]

Hey all, I'm trying to figure out why having a watch a on file is not generating a record when I stat said file. Put a watch on a file, and do stat file. No record... I'm not sure why this is happening, isn't getting such information considered security relevant?

What is your audit rule?

Reply

Michael C Thompson

4:22 p.m.

Amy Griffis wrote:

Michael C Thompson wrote: [Mon Oct 02 2006, 03:16:19PM EDT] > Hey all, > > I'm trying to figure out why having a watch a on file is not generating > a record when I stat said file. > > Put a watch on a file, and do stat file. > > No record... I'm not sure why this is happening, isn't getting such > information considered security relevant? What is your audit rule?

auditctl -w /path/to/file Mike

Reply

Amy Griffis

Tuesday, 3 October Tue, 3 Oct

10:43 a.m.

Michael C Thompson wrote: [Mon Oct 02 2006, 05:22:17PM EDT]

Amy Griffis wrote: >Michael C Thompson wrote: [Mon Oct 02 2006, 03:16:19PM EDT] >>Hey all, >> >>I'm trying to figure out why having a watch a on file is not generating >>a record when I stat said file. >> >>Put a watch on a file, and do stat file. >> >>No record... I'm not sure why this is happening, isn't getting such >>information considered security relevant? > >What is your audit rule? auditctl -w /path/to/file

You aren't seeing a record because stat is not included in any of the syscall classes. I believe it was omitted because it has a tendency to fill up audit logs. You can audit this event by specifying the syscall directly, e.g. auditctl -a exit,always -S stat -F path=/path/to/file Regards, Amy

Reply

6654

days inactive

6655

days old

linux-audit@lists.linux-audit.osci.io

Manage subscription

3 comments

2 participants

tags (0)

participants (2)

Amy Griffis
Michael C Thompson