Instead, you audit the file open, and make a note of whether the file was opened read-only, or for read/write. If it was opened for read/write, one presumes that it was written to.
Is it possible to tell if a file was opened read/write or read-only from the events generated by audit?
Thanks, Steve -- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
