Extracting written string from the write syscall

Casey Schaufler casey at schaufler-ca.com
Thu Apr 26 23:40:08 UTC 2018

On 4/26/2018 3:57 PM, Steve Grubb wrote:
> On Thu, 26 Apr 2018 20:34:57 +0000
> Wajih Ul Hassan <wajih.lums at gmail.com> wrote:
>> Hi all,
>> I am using Linux Audit module to monitor file accesses. However, I
>> want to extract what exactly was written to a specific file. I am
>> catching the events belonging to write syscall, for example:
>> type=SYSCALL msg=audit(04/26/2018 15:11:33.568:307907) : arch=x86_64
>> syscall=write success=yes exit=37 a0=0x3 a1=0x1aee240 a2=0x25 a3=0x477
>> items=0 ppid=11376 pid=26771 auid=wajih uid=wajih gid=wajih euid=wajih
>> suid=wajih fsuid=wajih egid=wajih sgid=wajih fsgid=wajih tty=pts1
>> ses=1 comm=a.out exe=/code/a.out key=(null)
>> I know the "a1" is the pointer to buffer being written; however, is
>> there a way I can take that pointer and extract the exact string? In
>> the example above I was writing "Hello world ...".
> Short answer is no. There is no way I know of to do that via the audit
> system.

You could write a Linux Security Module (LSM) to monitor the
content of writes. The performance impact would be rather

> -Steve
> --
> Linux-audit mailing list
> Linux-audit at redhat.com
> https://www.redhat.com/mailman/listinfo/linux-audit

To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
the body of a message to majordomo at vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

More information about the Linux-security-module-archive mailing list