djoreilly
commented
10 months ago Need to check that this builds and runs on older OSes.
Closed djoreilly closed 7 months ago
djoreilly
commented
10 months ago Need to check that this builds and runs on older OSes.
djoreilly
commented
8 months ago Works for kernel >= 4.11
djoreilly
commented
8 months ago On kernels before 4.11, or filesystems without support for statx, it will just return the zero time, which can be checked for in vql.
djoreilly
commented
7 months ago Found a way to find if a file is new from an audit plugin watch event. So this PR is not needed anymore.
Currently the stat plugin returns "0001-01-01T00:00:00Z" for the Btime on Linux which makes it impossible to know if the file is new.