Describe the bug
When utilizing the creat system call to generate a new file, a FileCreate event is triggered. Conversely, no such event is reported when employing the open system call for file creation. Additionally, attempting to open an already existing file with the creat system call results in a FileCreate event being generated
To Reproduce
I wrote a simple programm to test it.
create a new file with creat system call
#include
#include
#include
int main(int, char**)
{
mode_t mode = S_IRUSR | S_IWUSR | S_IRGRP | S_IROTH;
char* pathname = "./test";
int fd = creat(pathname, mode); //A call to creat() is equivalent to calling open() with flags equal to O_CREAT|O_WRONLY|_TRUNC.
if(fd < 0)
{
printf("failed\n");
}
else{
printf("successfull\n");
}
}
create a new file with open system call
#include
#include
#include
int main()
{
mode_t mode = S_IRUSR | S_IWUSR | S_IRGRP | S_IROTH;
char* pathname = "./test";
int fd = open(pathname, O_CREAT|O_WRONLY|O_TRUNC, mode); //this is equivalent to creat
if(fd < 0)
{
printf("failed\n");
}
else{
printf("successfull\n");
}
}
Sysmon version
Sysmon v1.3.3
Distro/kernel version
Ubuntu 22.04.2 LTS 6.5.0-28-generic
Sysmon configuration
Additional context
I discovered that Sysmon logs a FileCreate event upon receiving the syscall number __NR_CREAT, and it records a FileOpen event when encountering __NR_OPEN during the open system call. Within the open system call hook point handler, Sysmon evaluates the equivalence of the access, change, and modification times associated with the file. If all these timestamps match and the duration between the event times is under 100 milliseconds, it triggers a FileOpen event (which seemingly contradicts the notion of file creation). Notably, Sysmon does not perform this timestamp comparison in the creat system call hook point, consequently report FileCreate event in each creat system call even if the file already exist.
Describe the bug When utilizing the creat system call to generate a new file, a FileCreate event is triggered. Conversely, no such event is reported when employing the open system call for file creation. Additionally, attempting to open an already existing file with the creat system call results in a FileCreate event being generated
To Reproduce I wrote a simple programm to test it.
create a new file with creat system call
create a new file with open system call
Sysmon version Sysmon v1.3.3
Distro/kernel version Ubuntu 22.04.2 LTS 6.5.0-28-generic
Sysmon configuration
Additional context I discovered that Sysmon logs a FileCreate event upon receiving the syscall number __NR_CREAT, and it records a FileOpen event when encountering __NR_OPEN during the open system call. Within the open system call hook point handler, Sysmon evaluates the equivalence of the access, change, and modification times associated with the file. If all these timestamps match and the duration between the event times is under 100 milliseconds, it triggers a FileOpen event (which seemingly contradicts the notion of file creation). Notably, Sysmon does not perform this timestamp comparison in the creat system call hook point, consequently report FileCreate event in each creat system call even if the file already exist.