Re: Decoding arguments passed to system calls
On Monday 02 July 2007 06:48:23 pm Darryl Dixon - Winterhouse Consulting
wrote:
What you say about not being able to audit 'write()' is
worrying to me. The
problem with auditing write by inference from open(), is that one doesn't
know *when* the file was written,
But you know who did it and when they started the process of writing to the
file by opening with the intent to write. mmap is not covered by auditing for
write, so you have a big hole anyways.
My assumption would have been that CWD reflected only where the exe
was
launched from, and not necessarily where the write()-en file was located...
CWD is the processes' cwd. Some programs do a chdir("/") right after
starting,
so CWD would reflect wherever the app chdir'ed to.
-Steve