From mboxrd@z Thu Jan 1 00:00:00 1970 From: Wajih Ul Hassan Subject: Extracting written string from the write syscall Date: Thu, 26 Apr 2018 20:34:57 +0000 Message-ID: Mime-Version: 1.0 Content-Type: multipart/mixed; boundary="===============6921847518590494082==" Return-path: Received: from mx1.redhat.com (ext-mx18.extmail.prod.ext.phx2.redhat.com [10.5.110.47]) by smtp.corp.redhat.com (Postfix) with ESMTPS id E035218E20 for ; Thu, 26 Apr 2018 20:35:19 +0000 (UTC) Received: from mail-it0-f46.google.com (mail-it0-f46.google.com [209.85.214.46]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id 1D2CB30BB7D0 for ; Thu, 26 Apr 2018 20:35:09 +0000 (UTC) Received: by mail-it0-f46.google.com with SMTP id 144-v6so12005iti.5 for ; Thu, 26 Apr 2018 13:35:09 -0700 (PDT) List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: "linux-audit@redhat.com" List-Id: linux-audit@redhat.com --===============6921847518590494082== Content-Type: multipart/alternative; boundary="000000000000c02f9f056ac652da" --000000000000c02f9f056ac652da Content-Type: text/plain; charset="UTF-8" Hi all, I am using Linux Audit module to monitor file accesses. However, I want to extract what exactly was written to a specific file. I am catching the events belonging to write syscall, for example: type=SYSCALL msg=audit(04/26/2018 15:11:33.568:307907) : arch=x86_64 syscall=write success=yes exit=37 a0=0x3 a1=0x1aee240 a2=0x25 a3=0x477 items=0 ppid=11376 pid=26771 auid=wajih uid=wajih gid=wajih euid=wajih suid=wajih fsuid=wajih egid=wajih sgid=wajih fsgid=wajih tty=pts1 ses=1 comm=a.out exe=/code/a.out key=(null) I know the "a1" is the pointer to buffer being written; however, is there a way I can take that pointer and extract the exact string? In the example above I was writing "Hello world ...". Thanks, Wajih --000000000000c02f9f056ac652da Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable

Hi all,

I am using Linux Audit module to monitor file = accesses. However, I want to extract what exactly was written to a specific= file. I am catching the events belonging to write syscall, for example:

type=3DSYSCALL msg=3Daudit(04/26/2018 15:11:33.= 568:307907) : arch=3Dx86_64 syscall=3Dwrite success=3Dyes exit=3D37 a0=3D0x= 3 a1=3D0x1aee240 a2=3D0x25 a3=3D0x477 items=3D0 ppid=3D11376 pid=3D26771 au= id=3Dwajih uid=3Dwajih gid=3Dwajih euid=3Dwajih suid=3Dwajih fsuid=3Dwajih = egid=3Dwajih sgid=3Dwajih fsgid=3Dwajih tty=3Dpts1 ses=3D1 comm=3Da.out exe= =3D/code/a.out key=3D(null)

I know the "= ;a1" is the pointer to buffer being written; however, is there a way I= can take that pointer and extract the exact string? In the example above I= was writing "Hello world ...".

Thanks,<= /div>

Wajih

--000000000000c02f9f056ac652da-- --===============6921847518590494082== Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline --===============6921847518590494082==--