Extracting written string from the write syscall
Wajih Ul Hassan
wajih.lums at gmail.com
Thu Apr 26 20:34:57 UTC 2018
Hi all,
I am using Linux Audit module to monitor file accesses. However, I want to
extract what exactly was written to a specific file. I am catching the
events belonging to write syscall, for example:
type=SYSCALL msg=audit(04/26/2018 15:11:33.568:307907) : arch=x86_64
syscall=write success=yes exit=37 a0=0x3 a1=0x1aee240 a2=0x25 a3=0x477
items=0 ppid=11376 pid=26771 auid=wajih uid=wajih gid=wajih euid=wajih
suid=wajih fsuid=wajih egid=wajih sgid=wajih fsgid=wajih tty=pts1 ses=1
comm=a.out exe=/code/a.out key=(null)
I know the "a1" is the pointer to buffer being written; however, is there a
way I can take that pointer and extract the exact string? In the example
above I was writing "Hello world ...".
Thanks,
Wajih
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/linux-audit/attachments/20180426/a438a19a/attachment.htm>
More information about the Linux-audit
mailing list