File watching

Steve m6x at ornl.gov
Tue Jun 20 19:08:53 UTC 2006 

Michael C Thompson wrote:
> Steve wrote:
>>>> Is it possible to tell if a file was opened read/write or read-only 
>>>> from the events generated by audit?
>>
>>> The record does record syscall arguments, however, so perhaps you could
>>> analyze a1= (I believe this is the argument that passes flags), and
>>> figure out with what flags open() was called with.
>>
>> I performed an open on a file twice, the first is when the user had 
>> read/write privileges to the file and in the second the user only has 
>> read permissions.  These were the a# values from the events, 
>> respectively:
>>
>> a0=bfe6ac25 a1=8000 a2=0 a3=8000
>>
>> a0=bfd25b55 a1=8000 a2=0 a3=8000
>>
>> I'm not sure how to analyze that...
> 
> In both cases, a1 (the flags) is O_RDONLY (000 octal, 0x0 hex) and 
> O_LARGEFILE (0100000 octal, 0x8000 hex).
> 
> So you were opened as read-only. You can't determine the level of access 
> the user has from the above, although you should be able to infer some 
> information about it form the entire record.
> 
> Mike
> 

The file is owned by root and the group for the file is root.  The 
permissions are 664.

Here is the whole record for root accessing the file

audit(1150830257.233:250): arch=40000003 syscall=5 success=yes exit=3 
a0=9a62398 a1=8000 a2=0 a3=8000 items=1 ppid=23750 pid=25063 auid=500 
uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 
comm="vi" exe="/bin/vi" subj=user_u:system_r:unconfined_t:s0 
cwd="/home/m6x/src/iitds/sensor/plugins" item=0 name="/tmp/test.c" 
inode=5358299 dev=03:02 mode=0100664 ouid=0 ogid=0 rdev=00:00 
obj=user_u:object_r:tmp_t:s0

and for the normal user:

audit(1150830316.688:251): arch=40000003 syscall=5 success=yes exit=3 
a0=8669560 a1=8000 a2=0 a3=8000 items=1 ppid=24750 pid=25069 auid=500 
uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 
tty=pts3 comm="vim" exe="/usr/bin/vim" 
subj=user_u:system_r:unconfined_t:s0 cwd="/home/m6x" item=0 
name="/tmp/test.c" inode=5358299 dev=03:02 mode=0100664 ouid=0 ogid=0 
rdev=00:00 obj=user_u:object_r:tmp_t:s0

I am not sure why it opens the file as read-only when root opens it...

Steve

More information about the Linux-audit mailing list