File watching
Jonathan Abbey
jonabbey at arlut.utexas.edu
Tue Jun 20 18:10:24 UTC 2006
On Tue, Jun 20, 2006 at 01:53:14PM -0400, Steve wrote:
| I have audit set to monitor all system calls for a file. I see some
| system calls for it, but I think some may be missing... If I create the
| file using vi, I only see an open followed by a stat64. Shouldn't there
| be a write of some type? stat and open can't write to a file, can they?
Generally (and I'm speaking from my experience with Snare, here), one
does not attempt to audit the actual read and write syscalls. Mainly
because there are far, far too many of them, and you need their
performance to be as high as conceivably possible.
Instead, you audit the file open, and make a note of whether the file
was opened read-only, or for read/write. If it was opened for
read/write, one presumes that it was written to.
Jon
| Thanks,
| Steve
--
-------------------------------------------------------------------------------
Jonathan Abbey jonabbey at arlut.utexas.edu
Applied Research Laboratories The University of Texas at Austin
GPG Key: 71767586 at keyserver pgp.mit.edu, http://www.ganymeta.org/workkey.gpg
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/linux-audit/attachments/20060620/31aa888f/attachment.sig>
More information about the Linux-audit
mailing list