On Tue, 2006-06-20 at 13:10 -0500, Jonathan Abbey wrote: > On Tue, Jun 20, 2006 at 01:53:14PM -0400, Steve wrote: > | I have audit set to monitor all system calls for a file. I see some > | system calls for it, but I think some may be missing... If I create the > | file using vi, I only see an open followed by a stat64. Shouldn't there > | be a write of some type? stat and open can't write to a file, can they? > > Generally (and I'm speaking from my experience with Snare, here), one > does not attempt to audit the actual read and write syscalls. Mainly > because there are far, far too many of them, and you need their > performance to be as high as conceivably possible.
I think it has more to do with security relevancy than anything. Audit development has primarily been driven by CAPP and LSPP requirements for the last couple of years. -tim > > Instead, you audit the file open, and make a note of whether the file > was opened read-only, or for read/write. If it was opened for > read/write, one presumes that it was written to. > > Jon > > | Thanks, > | Steve > > -- > Linux-audit mailing list > [email protected] > https://www.redhat.com/mailman/listinfo/linux-audit -- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
