I'm running CentOS-6.5-i386-minimal. I recently used auditd to setup a watch on a specific file (-w /path/to/my/file -p warx), but found it difficult to distinguish system calls that were modifying the file vs. reading from the file when using ausearch/aureport.
In response to that, I separated out the watches by keys: -w /patch/to/my/file -p wa thisisawrite -w /path/to/my/file -p r thisisaread And then ran both aureport -k and aureport -f to join the keys to the system calls by event number. Am I wholly approaching this the wrong way, or is there an easier way to distinguish between a syscall that reads from a file vs. writes to a file? Assuming this is the correct approach, would there then be a benefit to adding the key to the aureport -f output? I find it awkward to have to combine the two commands to get the necessary information. Regards, Jon Smith
-- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
