File watching
Valdis.Kletnieks at vt.edu
Valdis.Kletnieks at vt.edu
Tue Jun 20 19:56:51 UTC 2006
On Tue, 20 Jun 2006 15:08:53 EDT, Steve said:
> Here is the whole record for root accessing the file
>
> audit(1150830257.233:250): arch=40000003 syscall=5 success=yes exit=3
> a0=9a62398 a1=8000
^^^^
>
> I am not sure why it opens the file as read-only when root opens it...
Because when root passes O_RDONLY, the kernel doesn't second-guess and open
it read-right....
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 226 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/linux-audit/attachments/20060620/a1e3c77a/attachment.sig>
More information about the Linux-audit
mailing list