All of lore.kernel.org
 help / color / mirror / Atom feed
From: Wajih Ul Hassan <wajih.lums@gmail.com>
To: "linux-audit@redhat.com" <linux-audit@redhat.com>
Subject: Extracting written string from the write syscall
Date: Thu, 26 Apr 2018 20:34:57 +0000	[thread overview]
Message-ID: <CAH5sRbr_-nHPb8moqPyZ--JVOzGi+_PHVVteA+TXe-Yqaoa5xA@mail.gmail.com> (raw)


[-- Attachment #1.1: Type: text/plain, Size: 728 bytes --]

Hi all,
I am using Linux Audit module to monitor file accesses. However, I want to
extract what exactly was written to a specific file. I am catching the
events belonging to write syscall, for example:

type=SYSCALL msg=audit(04/26/2018 15:11:33.568:307907) : arch=x86_64
syscall=write success=yes exit=37 a0=0x3 a1=0x1aee240 a2=0x25 a3=0x477
items=0 ppid=11376 pid=26771 auid=wajih uid=wajih gid=wajih euid=wajih
suid=wajih fsuid=wajih egid=wajih sgid=wajih fsgid=wajih tty=pts1 ses=1
comm=a.out exe=/code/a.out key=(null)

I know the "a1" is the pointer to buffer being written; however, is there a
way I can take that pointer and extract the exact string? In the example
above I was writing "Hello world ...".

Thanks,
Wajih

[-- Attachment #1.2: Type: text/html, Size: 873 bytes --]

[-- Attachment #2: Type: text/plain, Size: 0 bytes --]



             reply	other threads:[~2018-04-26 20:35 UTC|newest]

Thread overview: 12+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2018-04-26 20:34 Wajih Ul Hassan [this message]
2018-04-26 22:57 ` Extracting written string from the write syscall Steve Grubb
2018-04-26 23:40   ` Casey Schaufler
2018-04-26 23:40     ` Casey Schaufler
2018-04-27  0:08     ` Sargun Dhillon
2018-04-27  0:08       ` Sargun Dhillon
2018-04-27  0:46       ` Casey Schaufler
2018-04-27  0:46         ` Casey Schaufler
2018-04-27  2:37         ` Wajih Ul Hassan
2018-04-27 15:35           ` Casey Schaufler
2018-04-27 18:21           ` Richard Guy Briggs
2018-04-27 18:21             ` Richard Guy Briggs

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=CAH5sRbr_-nHPb8moqPyZ--JVOzGi+_PHVVteA+TXe-Yqaoa5xA@mail.gmail.com \
    --to=wajih.lums@gmail.com \
    --cc=linux-audit@redhat.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.