file change tracking
Steve Grubb
sgrubb at redhat.com
Tue Jul 10 16:05:31 UTC 2007
On Tuesday 10 July 2007 11:56:37 am Simmons Jr,Felix wrote:
> Could someone confirm for me what Vi is doing to the file that pops a
> perm_mask=2 (write) event?
Its opening the file with the intent to write. vi -R is readonly mode.
> On a side note, when I do actually write to the file (via vi or
> redirecting text) I get 7 separate type=FS_WATCH....perm_mask=2 events.
> I can live with the multiples but anyone have any idea why I see that
> for one file write?
Because there are probably 7 write syscalls. The audit system's view of the
world is very much like strace's. You can use strace to confirm that.
-Steve
More information about the Linux-audit
mailing list