hexified path in cwd audit message if dir no longer exists
paul moore
paulmoore100 at hotmail.com
Mon May 7 16:48:15 UTC 2007
No - since I was not running auditd it didn't get written in user space. But
the clip I show is directly from the audit buffer returned by
audit_get_reply (I poked the \0 onto the end of the buffer)
audit(1178324383.479:1566): cwd=2F70726F632F35373336202864656C6574656429\000
-----Original Message-----
From: Steve Grubb [mailto:sgrubb at redhat.com]
Sent: Saturday, May 05, 2007 6:34 AM
To: linux-audit at redhat.com
Cc: paul moore
Subject: Re: hexified path in cwd audit message if dir no longer exists
On Friday 04 May 2007 20:47:19 paul moore wrote:
> Occasiaonally I get a CWD audit message that has a hexified path in it.
> Like this
>
> $1 = "audit(1178324383.479:1566):
> cwd=2F70726F632F35373336202864656C6574656429\000
> This is "/proc/5736"
Could you tell me what you get when you pull this event's record out with
ausearch -i ?
-Steve
More information about the Linux-audit
mailing list