* Matching close() system calls
@ 2018-03-14 12:51 Kerem Aksu
2018-03-15 17:34 ` Steve Grubb
0 siblings, 1 reply; 2+ messages in thread
From: Kerem Aksu @ 2018-03-14 12:51 UTC (permalink / raw)
To: linux-audit
[-- Attachment #1.1: Type: text/plain, Size: 705 bytes --]
Hello,
I am trying to trace files by using this rule :
"-a always,exit -F arch=b64 -S read,write,open,close -k file_op"
I can trace open() system calls with the "type=path" log occurred with the
same ID as the open() system call. I can learn which file is opened by that
open() system call.
But when it comes to other system calls I am unable to learn which file is
read, wrote or closed.
I tried to match arguments passed to system calls (a[0..3]) but those are
different than the arguments defined in linux man pages. I might
misunderstand these arguments.
How can I match these or any other (file) system calls with the files that
they used onto.
And when does a "type=PATH" log occurs?
Thanks.
[-- Attachment #1.2: Type: text/html, Size: 1337 bytes --]
[-- Attachment #2: Type: text/plain, Size: 0 bytes --]
^ permalink raw reply [flat|nested] 2+ messages in thread
* Re: Matching close() system calls
2018-03-14 12:51 Matching close() system calls Kerem Aksu
@ 2018-03-15 17:34 ` Steve Grubb
0 siblings, 0 replies; 2+ messages in thread
From: Steve Grubb @ 2018-03-15 17:34 UTC (permalink / raw)
To: Kerem Aksu; +Cc: linux-audit
On Wed, 14 Mar 2018 15:51:44 +0300
Kerem Aksu <ahmtkrmd96@gmail.com> wrote:
> Hello,
>
> I am trying to trace files by using this rule :
> "-a always,exit -F arch=b64 -S read,write,open,close -k file_op"
>
> I can trace open() system calls with the "type=path" log occurred
> with the same ID as the open() system call. I can learn which file is
> opened by that open() system call.
If open returns a non-negative number, then that is the descriptor.
You'll need to match that descriptor as an argument to the other
syscalls for the same pid. You might need to watch exit_group also since
a program exiting closes all descriptors. And also you'll need to check
flags set by open and fcntl to see if CLOEXEC is being set.
> But when it comes to other system calls I am unable to learn which
> file is read, wrote or closed.
This is implicit by referencing the descriptor.
> I tried to match arguments passed to system calls (a[0..3]) but those
> are different than the arguments defined in linux man pages. I might
> misunderstand these arguments.
No, they are pretty much the same.
> How can I match these or any other (file) system calls with the files
> that they used onto.
> And when does a "type=PATH" log occurs?
You'll probably need to write a program using auparse to save the
descriptor from an open or openat and then output the information you
need as a custom program.
-Steve
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2018-03-15 17:34 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2018-03-14 12:51 Matching close() system calls Kerem Aksu
2018-03-15 17:34 ` Steve Grubb
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox