file watch: separating file reads and writes
Jon Smith
JoSmith at tripwire.com
Wed Jul 9 04:00:18 UTC 2014
I'm running CentOS-6.5-i386-minimal.
I recently used auditd to setup a watch on a specific file (-w /path/to/my/file -p warx), but found it difficult to distinguish system calls that were modifying the file vs. reading from the file when using ausearch/aureport.
In response to that, I separated out the watches by keys:
-w /patch/to/my/file -p wa thisisawrite
-w /path/to/my/file -p r thisisaread
And then ran both aureport -k and aureport -f to join the keys to the system calls by event number.
Am I wholly approaching this the wrong way, or is there an easier way to distinguish between a syscall that reads from a file vs. writes to a file?
Assuming this is the correct approach, would there then be a benefit to adding the key to the aureport -f output? I find it awkward to have to combine the two commands to get the necessary information.
Regards,
Jon Smith
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/linux-audit/attachments/20140709/b60f83a8/attachment.htm>
More information about the Linux-audit
mailing list