Hello,
3 questions regarding Endpoint Security Framework:
-
Does ESF support tracing the
dup2(2)
function? There is theES_EVENT_TYPE_NOTIFY_DUP
event, but it seems that it only reportsdup(2)
, notdup2(2)
? -
Does ESF support tracing the
dup(2)
, andclose(2)
calls, if the file descriptor passed to these functions refer to a pipe handle instead of a file handle? If not, do you have any plans of extending the support for pipes as well? -
Could the
es_event_dup_t
structure support reporting which file handle has been duplicated into which value (source file descriptor value, and target file descriptor value)? Currently this structure only supports the "target" file object, without any information which file descriptor has been cloned into which file descriptor, which is not helpful at all. For example, if we open fileA
and we getfd1
, then open the same fileA
and we getfd2
, then performdup(fd1)
, then with ESF it seems that it's impossible to tell if we've duplicatedfd1
orfd2
. Also this model doesn't supportdup2(2)
usage at all.