Kerem Aksu
2018-03-14 12:51:44 UTC
Hello,
I am trying to trace files by using this rule :
"-a always,exit -F arch=b64 -S read,write,open,close -k file_op"
I can trace open() system calls with the "type=path" log occurred with the
same ID as the open() system call. I can learn which file is opened by that
open() system call.
But when it comes to other system calls I am unable to learn which file is
read, wrote or closed.
I tried to match arguments passed to system calls (a[0..3]) but those are
different than the arguments defined in linux man pages. I might
misunderstand these arguments.
How can I match these or any other (file) system calls with the files that
they used onto.
And when does a "type=PATH" log occurs?
Thanks.
I am trying to trace files by using this rule :
"-a always,exit -F arch=b64 -S read,write,open,close -k file_op"
I can trace open() system calls with the "type=path" log occurred with the
same ID as the open() system call. I can learn which file is opened by that
open() system call.
But when it comes to other system calls I am unable to learn which file is
read, wrote or closed.
I tried to match arguments passed to system calls (a[0..3]) but those are
different than the arguments defined in linux man pages. I might
misunderstand these arguments.
How can I match these or any other (file) system calls with the files that
they used onto.
And when does a "type=PATH" log occurs?
Thanks.