The primary reason for creating the monitoring that we are putting in place is to check when people are copying code from the server for improper reasons.
From what I can see, there is very little difference, if any, between system calls for viewing the contents of a file and copying it. Both require a read and if copying off the server, that is all you see.
The problem is that the team need to read the contents of the files, but have no need to copy them.
There are clearly certain file types that even reading doesn't make sense for our set-up such as archives so we can monitor by file types, but is there anything in the system calls that differentiates between a read for a copy and just a read to open.
We are not too worried about the odd file here and there, this is about mass copying of files so there will also probably be some sort of rate that comes in to play if that is needed.
While I recognise that this is more a Linux Audit question, just wondered if there was something in Auditbeat or the people using it, that might know of something. If I can clearly see the difference, makes it very much easier!