Matching close() system calls
Kerem Aksu
ahmtkrmd96 at gmail.com
Wed Mar 14 12:51:44 UTC 2018
Hello,
I am trying to trace files by using this rule :
"-a always,exit -F arch=b64 -S read,write,open,close -k file_op"
I can trace open() system calls with the "type=path" log occurred with the
same ID as the open() system call. I can learn which file is opened by that
open() system call.
But when it comes to other system calls I am unable to learn which file is
read, wrote or closed.
I tried to match arguments passed to system calls (a[0..3]) but those are
different than the arguments defined in linux man pages. I might
misunderstand these arguments.
How can I match these or any other (file) system calls with the files that
they used onto.
And when does a "type=PATH" log occurs?
Thanks.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/linux-audit/attachments/20180314/143f944d/attachment.htm>
More information about the Linux-audit
mailing list