Is it possible to tell if a file was opened read/write or read-only from the events generated by audit?
The record does record syscall arguments, however, so perhaps you could analyze a1= (I believe this is the argument that passes flags), and figure out with what flags open() was called with.
I performed an open on a file twice, the first is when the user had read/write privileges to the file and in the second the user only has read permissions. These were the a# values from the events, respectively:
a0=bfe6ac25 a1=8000 a2=0 a3=8000 a0=bfd25b55 a1=8000 a2=0 a3=8000 I'm not sure how to analyze that... -- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
