How to reconstruct file path from PATH records?
Dilin Mao
dilin.mao at gmail.com
Tue Dec 7 06:21:27 UTC 2010
Hi,
We are developing a system to monitor file operations, the difficulties
is how to reconstruct file path from audit records. we have written some
testcases for system calls of file/dir operation, and found that the numbers
of path records differs when we try different combinations of absolute or
relative pathname. For rename/renameat function, we have seen four or five
path records per system call, for link/linkat function, the number of path
records is two or three. Is there any rule for how the path records is
generated?
We have also found that the file path can't be reconstruct correctly
sometimes. Taken linkat function as example:
olddirfd = open("/home/dlmao/test-syscall/tests/tmpdir",O_RDONLY);
newdirfd = open("/home/dlmao/test-syscall/tests/tmpdir",O_RDONLY);
linkat(olddirfd,"tmp.f1C3HgoJ1K",newdirfd,"tmpfile4",0)
but the audit record outputted is:
type=SYSCALL msg=audit(1291697940.405:66): arch=40000003 syscall=303
success=yes exit=0 a0=3 a1=bfe7ff2c a2=4 a3=bfe7feac items=3 ppid=3573
pid=3609 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0
fsgid=0 tty=pts0 ses=4294967295 comm="test-linkat"
exe="/home/dlmao/test-syscall/tests/test-linkat" key=(null)
type=CWD msg=audit(1291697940.405:66): cwd="/home/dlmao/test-syscall/tests"
type=PATH msg=audit(1291697940.405:66): item=0 name="tmp.f1C3HgoJ1K"
inode=284275 dev=08:01 mode=0100600 ouid=0 ogid=0 rdev=00:00
type=PATH msg=audit(1291697940.405:66): item=1
name="/home/dlmao/test-syscall/tests" inode=287306 dev=08:01 mode=040755
ouid=0 ogid=0 rdev=00:00
type=PATH msg=audit(1291697940.405:66): item=2 name="tmpfile4" inode=284275
dev=08:01 mode=0100600 ouid=0 ogid=0 rdev=00:00
Thanks,
Mao
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/linux-audit/attachments/20101207/26e08dca/attachment.htm>
More information about the Linux-audit
mailing list