* System-call auditing
@ 2004-05-19 22:13 Bradley Hook
0 siblings, 0 replies; only message in thread
From: Bradley Hook @ 2004-05-19 22:13 UTC (permalink / raw)
To: Linux-Kernel
I'm trying to put this system-call auditing to use, and I'm running into
some trouble figuring it out. I've been studying the sources for the
auditd example app and the audit.c/auditsc.c kernel files, and have yet
to figure out how to accomplish my goal.
What I am trying to do is detect when a modified file is closed. I
figured auditing __NR_open, __NR_write, and __NR_close would be the way
to do this (perhaps I am wrong here?). My problem is that I haven't
found a way to tie the open/write/close calls together with the info
that the auditing code provides.
The audit info for __NR_open provides the filename (which I would need
when my app goes to work) but doesn't provide any unique identifier that
I can use to tie it to audits on __NR_write or __NR_close.
If anyone can give me some pointers on how to use this auditing code I
would greatly appreciate it.
~Brad
^ permalink raw reply [flat|nested] only message in thread
only message in thread, other threads:[~2004-05-19 22:13 UTC | newest]
Thread overview: (only message) (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2004-05-19 22:13 System-call auditing Bradley Hook
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.