Bypassing audit's file watches
Timothy R. Chavez
tinytim at us.ibm.com
Mon Jul 10 15:16:23 UTC 2006
On Fri, 2006-07-07 at 22:00 -0400, Amy Griffis wrote:
<snip>
>
> As Tim mentioned, the idea is that to determine if a file is modified,
> you would filter for open() calls with either the O_RDWR or O_WRONLY
> flag. This is pretty unwieldy with the current feature set since you
> would need a separate rule for every possible combination of flags
> that includes O_RDWR or O_WRONLY. I really think we need to enhance
> the filtering options available for open() calls, since trying to
> audit the actual modifications is much more difficult.
>
> If you are missing events for open() calls, please let us know since
> that would be a bug (versus a lacking feature).
>
> Thanks for testing.
>
> Amy
>
I think this is a bug. We see audit records for a failed attempt at
writing a file (e.g. chmod -w foo, echo "bar" > foo) via redirection,
but not otherwise.
-tim
More information about the Linux-audit
mailing list