From b765715b4795ce4bc8940c7b1a1092a78550de94 Mon Sep 17 00:00:00 2001
From: We-unite <3205135446@qq.com>
Date: Fri, 26 Jul 2024 15:20:45 +0800
Subject: The 1st prompt to record file changed by process

To record it, we must listen to open/write and several syscalls,
and now I've add open into the 2nd coroutine. In syscall open,
what we should do is to judge the permission flag (the 2nd param
in the syscall), to find out if it can write to the file. If so,
the exit code is its file descriptor, and when write is called, the
audit shows only file descriptor but no file name.

So the next step is to add things into 3rd coroutine, to make the
whole program running again, and find out bugs.
---
 old/au.sh | 24 ++++++++++++++++++++++++
 1 file changed, 24 insertions(+)
 create mode 100755 old/au.sh

(limited to 'old')

diff --git a/old/au.sh b/old/au.sh
new file mode 100755
index 0000000..66da315
--- /dev/null
+++ b/old/au.sh
@@ -0,0 +1,24 @@
+#!/bin/bash
+
+##########################################################################
+# File Name    : au.sh
+# Encoding     : utf-8
+# Author       : We-unite
+# Email        : weunite1848@gmail.com
+# Created Time : 2024-07-25 17:56:49
+##########################################################################
+
+set -e
+
+if [ $EUID -ne 0 ]; then
+	echo -e "Please run as root/sudo"
+	exit 1
+fi
+
+auditctl -D
+
+fileSyscall="open write creat unlink mkdir rmdir chmod fchmod chown fchown lchown flock"
+for syscall in $fileSyscall; do
+	auditctl -a exit,always -F arch=b64 -S $syscall
+done
+
-- 
cgit v1.2.3-70-g09d2