Endpoint security and non-file events

Privacy & Security General
kithrup OP
Created Dec ’20
Replies 2
Boosts 0
Views 467
Participants 1
I must be missing something really obvious, and I feel particularly dumb about it: I don't see any event -- authorization or notification -- for creating or removing a directory. I also don't see one for creating a symlink (although that can be handled via unlink, one presumes). The events for create seem to be file only (and I'm also quite surprised that the file mode isn't available in the authorization event for that).

So how blind am I here? I mean, I *must* have missed something, right?
Replies  2
Boosts  0
Views  467
Participants  1
kithrup OP
Dec ’20
Ok, so there is a CREATE event when either a file or a directory is created. But there's no information as to what type of object is being / has been created, unless I missed something again. Also, there doesn't seem to be a CREATE event for symlinks.

0
kithrup OP
Dec ’20
Ok. So there *is* an authorization event for creating filesystem objects, including directories and symlinks, and this includes the mode. However, and this confused me for quite a while, the create notification is only after the fact, so it will never indicate it's a new file, and the only way you can find out file information is to lstat/getattrinfo/etc. on the given path then.

It makes complete and utter sense, and is also completely and utterly annoying. :)

0
Endpoint security and non-file events
First post date Last post date
 
 
Q