File watching
Steve
m6x at ornl.gov
Tue Jun 20 19:08:53 UTC 2006
Michael C Thompson wrote:
> Steve wrote:
>>>> Is it possible to tell if a file was opened read/write or read-only
>>>> from the events generated by audit?
>>
>>> The record does record syscall arguments, however, so perhaps you could
>>> analyze a1= (I believe this is the argument that passes flags), and
>>> figure out with what flags open() was called with.
>>
>> I performed an open on a file twice, the first is when the user had
>> read/write privileges to the file and in the second the user only has
>> read permissions. These were the a# values from the events,
>> respectively:
>>
>> a0=bfe6ac25 a1=8000 a2=0 a3=8000
>>
>> a0=bfd25b55 a1=8000 a2=0 a3=8000
>>
>> I'm not sure how to analyze that...
>
> In both cases, a1 (the flags) is O_RDONLY (000 octal, 0x0 hex) and
> O_LARGEFILE (0100000 octal, 0x8000 hex).
>
> So you were opened as read-only. You can't determine the level of access
> the user has from the above, although you should be able to infer some
> information about it form the entire record.
>
> Mike
>
The file is owned by root and the group for the file is root. The
permissions are 664.
Here is the whole record for root accessing the file
audit(1150830257.233:250): arch=40000003 syscall=5 success=yes exit=3
a0=9a62398 a1=8000 a2=0 a3=8000 items=1 ppid=23750 pid=25063 auid=500
uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1
comm="vi" exe="/bin/vi" subj=user_u:system_r:unconfined_t:s0
cwd="/home/m6x/src/iitds/sensor/plugins" item=0 name="/tmp/test.c"
inode=5358299 dev=03:02 mode=0100664 ouid=0 ogid=0 rdev=00:00
obj=user_u:object_r:tmp_t:s0
and for the normal user:
audit(1150830316.688:251): arch=40000003 syscall=5 success=yes exit=3
a0=8669560 a1=8000 a2=0 a3=8000 items=1 ppid=24750 pid=25069 auid=500
uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500
tty=pts3 comm="vim" exe="/usr/bin/vim"
subj=user_u:system_r:unconfined_t:s0 cwd="/home/m6x" item=0
name="/tmp/test.c" inode=5358299 dev=03:02 mode=0100664 ouid=0 ogid=0
rdev=00:00 obj=user_u:object_r:tmp_t:s0
I am not sure why it opens the file as read-only when root opens it...
Steve
More information about the Linux-audit
mailing list