On a Fedora system, you can use:
sudo auditctl -pa -w /some/file
In the audit package, if you do not have it, then sudo yum install audit
The output goes to /var/log/audit/audit.log in the form:
type=SYSCALL msg=audit(1325185116.524:1133): arch=c000003e syscall=2 success=yes exit=3 a0=671600 a1=241 a2=1b6 a3=9 items=1 ppid=26641 pid=26643 auid=501 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="jmacs" exe="/usr/bin/joe" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null) type=CWD msg=audit(1325185116.524:1133): cwd="/tmp" type=PATH msg=audit(1325185116.524:1133): item=0 name="/etc/passwd" inode=531545 dev=fd:01 mode=0100644 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:etc_t:s0
It is a little tight, but note that the msg=audit(###) lines are built on multiple lines.
- Now, when I first read the man page for the first time, I see some warnings about using
-Farch=b32 / -Farch=b64 , so there seems to be some weird thing about system calls with 32-bit and 64-bit , therefore, if you do not get an audit, perhaps thatโs why. I have never seen this before, but I have not started any 32-bit processes since the days of Athlon, so I can not talk to him very well.
BRFennPocock
source share