$ sudo auditctl -a exit,always -S write -F uid=33We also logged opens that were not O_RDONLY:
$ sudo auditctl -a exit,always -S open -F uid=33 -F a1'!=0'`This resulted in the following rules:
$ sudo auditctl -l LIST_RULES: exit,always uid=33 (0x21) syscall=write LIST_RULES: exit,always uid=33 (0x21) a1!=0 syscall=openThis allowed us to isolate a PHP module that was completely broken (using aureport).
- man 8 auditctl - a utility to assist controlling the kernel’s audit system
- man 8 aureport - a tool that produces summary reports of audit daemon logs
- man 1 dstat - versatile tool for generating system resource statistics
- man 1 iotop - simple top-like I/O monitor
- man 2 open - open and possibly create a file or device