Should open syscall records occur without a path record?
John D. Ramsdell
ramsdell at mitre.org
Mon Jul 23 13:09:22 UTC 2007
I have a test suite that generates every system call analyzed by our
package. The suite runs several programs that do a variety of things,
including opening files. I traced the set of programs, and retrieved
the records using
ausearch -r -p P > P.txt
where P is the process ID of each traced program.
When I attempt to analyze the logs, my program blows up because it
assumes that every syscall audit event for the open syscall will
include a PATH record. I made a quick edit of the analysis program,
and discovered that 24 open syscall records have no PATH record, and
sometimes the CWD record is missing too.
$ python auditopen.py -i ../autsv/*.txt
Of 421 events with a SYSCALL record with syscall=open
401 have CWD
397 have PATH
0 have CWD but no PATH
$
Is it appropriate for audit analysis programs to assume a PATH record
will be available with every open syscall event? I cannot see how to
do my analysis without the PATH record.
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: auditopen.py
URL: <http://listman.redhat.com/archives/linux-audit/attachments/20070723/38f8b7a8/attachment.ksh>
More information about the Linux-audit
mailing list