file watch and stat
Amy Griffis
amy.griffis at hp.com
Tue Oct 3 15:43:15 UTC 2006
Michael C Thompson wrote: [Mon Oct 02 2006, 05:22:17PM EDT]
> Amy Griffis wrote:
> >Michael C Thompson wrote: [Mon Oct 02 2006, 03:16:19PM EDT]
> >>Hey all,
> >>
> >>I'm trying to figure out why having a watch a on file is not generating
> >>a record when I stat said file.
> >>
> >>Put a watch on a file, and do stat file.
> >>
> >>No record... I'm not sure why this is happening, isn't getting such
> >>information considered security relevant?
> >
> >What is your audit rule?
>
> auditctl -w /path/to/file
You aren't seeing a record because stat is not included in any of the
syscall classes. I believe it was omitted because it has a tendency
to fill up audit logs.
You can audit this event by specifying the syscall directly, e.g.
auditctl -a exit,always -S stat -F path=/path/to/file
Regards,
Amy
More information about the Linux-audit
mailing list