[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: execve



Hi Steve,

If you do a 'find . -inum 770531' do you find anything?

-debbie

linux-audit-bounces redhat com wrote on 06/07/2005 01:29:22 PM:

> Hello,

> ran another test on .56 kernel. I wanted to make sure we are logging
> parameters for execve so we can see what is being executed:

> type=PATH msg=audit(06/07/05 14:14:28.592:5004271) : item=1 inode=770531
> dev=03:02 mode=file,755 ouid=root ogid=root rdev=00:00
> type=PATH msg=audit(06/07/05 14:14:28.592:5004271) : item=0 name=/bin/ls
> inode=1048599 dev=03:02 mode=file,755 ouid=root ogid=root rdev=00:00
> type=CWD msg=audit(06/07/05 14:14:28.592:5004271) :  cwd=/root
> type=SYSCALL msg=audit(06/07/05 14:14:28.592:5004271) : arch=i386
> syscall=execve success=yes exit=0 a0=9195ab8 a1=91a9838 a2=91b1900 a3=91a9838
> items=2 pid=4167 auid=sgrubb uid=root gid=root euid=root suid=root fsuid=root
> egid=root sgid=root fsgid=root comm=ls exe=/bin/ls

> What is the first PATH record showing? I was expecting only 1 item, not 2.
> There is no name, yet the mode says its a file. I've checked several apps
> doing execve, they all have the same first record with same inode no matter
> what I run.

> -Steve

> --
> Linux-audit mailing list
> Linux-audit redhat com
> http://www.redhat.com/mailman/listinfo/linux-audit


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]