Steve wrote: [Fri Jul 07 2006, 10:58:42AM EDT] > I have found that I can modify files that are being watched and audit > not catch it (ie. no events are dispatched). When monitoring a file for > all system calls, I can: > > echo "" > /file/to/watch > > or > > cat some_file > /file/to/watch > > without generating audit events.
Are you seeing the open and not the write, or no records at all? With the current implementation, you should expect to see an event for open(). You wouldn't see a record for the write(), as the argument is an fd instead of a filename. As Tim mentioned, the idea is that to determine if a file is modified, you would filter for open() calls with either the O_RDWR or O_WRONLY flag. This is pretty unwieldy with the current feature set since you would need a separate rule for every possible combination of flags that includes O_RDWR or O_WRONLY. I really think we need to enhance the filtering options available for open() calls, since trying to audit the actual modifications is much more difficult. If you are missing events for open() calls, please let us know since that would be a bug (versus a lacking feature). Thanks for testing. Amy -- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
