On Friday, December 06, 2013 08:42:44 AM Peter Moody wrote: > > If I access a file with relative path, the PATH audit message would be > > a relative path as well. > > > > I wonder if I can change this behavior without modifying the kernel? > > IIUC, there should be a CWD message to go along with the PATH message. > You should be able to use that to find the absolute path
That is correct. What I do is take the cwd field and concatenate path and then run it through realpath(3) to finalize it. -Steve -- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
