Hello, I need to get the absolute path from audit events. An audit event can contain a relative path in the PATH record - if I concatenate the path in the CWD record with the relative path in the PATH record, do I always get the absolute path?
Also, some audit events contain more than one PATH record, for example: type=SYSCALL msg=audit(1274190814.081:7): arch=c000003e syscall=165 success=yes exit=0 a0=1783fe0 a1=1784000 a2=1784020 a3=ffffffffc0ed0006 items=2 ppid=26725 pid=26726 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="mount" exe="/bin/mount" key=(null) type=CWD msg=audit(1274190814.081:7): cwd="/" type=PATH msg=audit(1274190814.081:7): item=0 name="/media/flash" inode=15592 dev=08:02 mode=040700 ouid=0 ogid=0 rdev=00:00 type=PATH msg=audit(1274190814.081:7): item=1 name=(null) inode=395117 dev=00:0c mode=060660 ouid=0 ogid=6 rdev=08:11 Is the first PATH record more important than the others? I need to get the "/media/flash" from the audit event. -- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
