Extracting written string from the write syscall
Steve Grubb
sgrubb at redhat.com
Thu Apr 26 22:57:25 UTC 2018
On Thu, 26 Apr 2018 20:34:57 +0000
Wajih Ul Hassan <wajih.lums at gmail.com> wrote:
> Hi all,
> I am using Linux Audit module to monitor file accesses. However, I
> want to extract what exactly was written to a specific file. I am
> catching the events belonging to write syscall, for example:
>
> type=SYSCALL msg=audit(04/26/2018 15:11:33.568:307907) : arch=x86_64
> syscall=write success=yes exit=37 a0=0x3 a1=0x1aee240 a2=0x25 a3=0x477
> items=0 ppid=11376 pid=26771 auid=wajih uid=wajih gid=wajih euid=wajih
> suid=wajih fsuid=wajih egid=wajih sgid=wajih fsgid=wajih tty=pts1
> ses=1 comm=a.out exe=/code/a.out key=(null)
>
> I know the "a1" is the pointer to buffer being written; however, is
> there a way I can take that pointer and extract the exact string? In
> the example above I was writing "Hello world ...".
Short answer is no. There is no way I know of to do that via the audit
system.
-Steve
More information about the Linux-audit
mailing list