Michael C Thompson wrote: [Mon Oct 02 2006, 05:22:17PM EDT] > Amy Griffis wrote: > >Michael C Thompson wrote: [Mon Oct 02 2006, 03:16:19PM EDT] > >>Hey all, > >> > >>I'm trying to figure out why having a watch a on file is not generating > >>a record when I stat said file. > >> > >>Put a watch on a file, and do stat file. > >> > >>No record... I'm not sure why this is happening, isn't getting such > >>information considered security relevant? > > > >What is your audit rule? > > auditctl -w /path/to/file
You aren't seeing a record because stat is not included in any of the syscall classes. I believe it was omitted because it has a tendency to fill up audit logs. You can audit this event by specifying the syscall directly, e.g. auditctl -a exit,always -S stat -F path=/path/to/file Regards, Amy -- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
