On Monday, May 11, 2015 11:50:19 AM Bill Jackson III wrote: > Any pointers for troubleshooting auditd missing events for file reads, > edits, etc. ( -w _path_ -p raw) on OEL5/RHEL 5/CentOS 5? > > http://security.stackexchange.com/q/89009/56827
The -w notation is the same as -a always,exit -F path=XXX -F perms=rwa What this does is audit the following functions defined in the syscall classifiers : http://lxr.free-electrons.com/source/include/asm-generic/audit_read.h http://lxr.free-electrons.com/source/include/asm-generic/audit_write.h http://lxr.free-electrons.com/source/include/asm-generic/audit_change_attr.h You are not going to get a hit for each and every read system call because read is not audited. -Steve -- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
