This uses the audit plugin to monitor fchown and fchownat system calls in separate queries that run concurrently. The fchown call does not have a path argument, so we watch the monitored directories for new opened files and store their inode to path mappings in an LRU that the fchown query can lookup.
This uses the audit plugin to monitor fchown and fchownat system calls in separate queries that run concurrently. The fchown call does not have a path argument, so we watch the monitored directories for new opened files and store their inode to path mappings in an LRU that the fchown query can lookup.