On Fri, 2006-07-07 at 22:00 -0400, Amy Griffis wrote: <snip> > > As Tim mentioned, the idea is that to determine if a file is modified, > you would filter for open() calls with either the O_RDWR or O_WRONLY > flag. This is pretty unwieldy with the current feature set since you > would need a separate rule for every possible combination of flags > that includes O_RDWR or O_WRONLY. I really think we need to enhance > the filtering options available for open() calls, since trying to > audit the actual modifications is much more difficult. > > If you are missing events for open() calls, please let us know since > that would be a bug (versus a lacking feature). > > Thanks for testing. > > Amy >
I think this is a bug. We see audit records for a failed attempt at writing a file (e.g. chmod -w foo, echo "bar" > foo) via redirection, but not otherwise. -tim -- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
