This content has been marked as final. Show 3 replies
I'ld use syscall::open*:return, or possibly open*:return.
As you mentioned there are a few different open() calls, so you need to catch all of them..
Set up auditing. See this:
I also guess that you by this line:
/arg1 == 1 || arg1 == 2/
..want to filter out the O_RDONLY opens, but i don't think it works.. I'ld rather do:
/arg1 != 0/
You can always write a small script which shows you the arg1, its rather interesting ;)