[EMAIL PROTECTED] (John D. Ramsdell) writes:
> I carefully studied the output of my analysis program, and found one
> particularly odd line of output. I traced it back to an interesting
> audit event in the raw log (syscall 5 is the open system call):
I found the place in the source for the prog
"Wieprecht, Karen M." <[EMAIL PROTECTED]> writes:
> I'm probably out of my league by responding here, but some syscall
> records do have more than one path.
You are correct. I would expect the rename(2) system call to have two
PATH records, and the renameat(4) call to have four. I suppose I
sho
I'm probably out of my league by responding here, but some syscall
records do have more than one path. For instance,
mv file1 file2
will have a path record for both file1 and file2 ... The same type of
thing is true for cp file1 file2
Karen Wieprecht
--
Linux-audit mailing list
I notice that /bin/rm no longer uses the unlink system call, but
instead uses unlinkat.
Steve Grubb <[EMAIL PROTECTED]> writes:
> But openat does give a different output:
...
> Low and behold the record changes to this:
Note that my trick of looking at the last path record for the file
name wo
On Friday 27 July 2007 10:10:17 John D. Ramsdell wrote:
> Notice this event has two PATH records, whereas all of the many other
> open events I studied in my logs have one PATH record. It's as if the
> open system call can behave as the openat system call. I changed my
> analysis program to use t
Steve Grubb <[EMAIL PROTECTED]> writes:
> I've just released a new version of the audit daemon.
Thank you Steve. With this update, and bug fixes to my code, my
analysis program completes without reporting internal
inconsistencies. This usually means most of the bugs have been
removed.
I care