Should open syscall records occur without a path record?
John D. Ramsdell
ramsdell at mitre.org
Mon Jul 23 18:47:33 UTC 2007
Steve Grubb <sgrubb at redhat.com> writes:
> There should be a PATH record for every open. Have you verified the
> logs or trusting ausearch?
The short version of what I found is that the missing PATH records
always appear in the raw logs, but both ausearch and auparse fail to
return some PATH records with their associated SYSCALL record. A PATH
record gets ignored when another syscall event record occurs between
the SYSCALL record and the PATH record.
I'll send you a long version of my results off line as the data to
support the report is voluminous.
John
More information about the Linux-audit
mailing list