Re: System call hooking in 2.6 kernel..

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On Mon, Nov 10, 2008 at 2:36 PM, ashish mahamuni <ashitpro@xxxxxxxxxxx> wrote:
Hello All,

I am trying to write a module which will log the user who deleted the file...
So, I am thinking of hooking the unlink system call...
Which is the best way to achieve this?
Is it possible in 2.6 kernel?

Hi Ashish,
             Can we know your intention behind hooking the unlink call ?  Do you wish to log the deletion to detect malicious users who delete files or is it for any other reason ? If avoiding malice is your intention(since you say 'user who deleted _the_ file'), then you'll have to check a lot of other syscalls too. A user could just 'dd' the file with zeroes and unlink will never be called; yet, the file is as good as deleted(actually worse).

Just a thought...

Best regards,
Pranav
http://pranavsbrain.peshwe.com

[Index of Archives]     [Newbies FAQ]     [Linux Kernel Mentors]     [Linux Kernel Development]     [IETF Annouce]     [Git]     [Networking]     [Security]     [Bugtraq]     [Yosemite]     [MIPS Linux]     [ARM Linux]     [Linux RAID]     [Linux SCSI]     [Linux ACPI]
  Powered by Linux