Hello, I am trying to trace files by using this rule : "-a always,exit -F arch=b64 -S read,write,open,close -k file_op"
I can trace open() system calls with the "type=path" log occurred with the same ID as the open() system call. I can learn which file is opened by that open() system call. But when it comes to other system calls I am unable to learn which file is read, wrote or closed. I tried to match arguments passed to system calls (a[0..3]) but those are different than the arguments defined in linux man pages. I might misunderstand these arguments. How can I match these or any other (file) system calls with the files that they used onto. And when does a "type=PATH" log occurs? Thanks.
-- Linux-audit mailing list Linux-audit@redhat.com https://www.redhat.com/mailman/listinfo/linux-audit
