[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: Decoding arguments passed to system calls



On Monday 02 July 2007 06:48:23 pm Darryl Dixon - Winterhouse Consulting 
wrote:
> What you say about not being able to audit 'write()' is worrying to me. The
> problem with auditing write by inference from open(), is that one doesn't
> know *when* the file was written,

But you know who did it and when they started the process of writing to the 
file by opening with the intent to write. mmap is not covered by auditing for 
write, so you have a big hole anyways.

> My assumption would have been that CWD reflected only where the exe was
> launched from, and not necessarily where the write()-en file was located...

CWD is the processes' cwd. Some programs do a chdir("/") right after starting, 
so CWD would reflect wherever the app chdir'ed to.

-Steve



[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]