Hello, We have an internal group auditing updates to files but who would like to be able to monitor the actual modification rather than the possible intent to modify.
The example they gave is that some program opens a file O_WRONLY|O_APPEND but in most cases it does not subsequently write to the file. For them, the usual auditctl -p path -w wa causes lots of false positives. Historically, I know, that -w wa is triggered by the open(2) flags rather than actual modifications because "[t]he read & write syscalls are omitted from this set since they would overwhelm the logs." Reading this again now, it looks a little specious as it seems quite easy to overwhelm the logs anyway. Is there any reason why a file watcher should not use the fsnotify FS_ACCESS/MODIFY/ATTRIB masks before I go haring off to try to implement that? jch -- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
