Decoding arguments passed to system calls
Steve Grubb
sgrubb at redhat.com
Wed Jul 4 14:29:32 UTC 2007
On Monday 02 July 2007 06:48:23 pm Darryl Dixon - Winterhouse Consulting
wrote:
> What you say about not being able to audit 'write()' is worrying to me. The
> problem with auditing write by inference from open(), is that one doesn't
> know *when* the file was written,
But you know who did it and when they started the process of writing to the
file by opening with the intent to write. mmap is not covered by auditing for
write, so you have a big hole anyways.
> My assumption would have been that CWD reflected only where the exe was
> launched from, and not necessarily where the write()-en file was located...
CWD is the processes' cwd. Some programs do a chdir("/") right after starting,
so CWD would reflect wherever the app chdir'ed to.
-Steve
More information about the Linux-audit
mailing list