[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: the PATH record

On Tuesday 18 May 2010 10:07:02 am Juraj Hlista wrote:
> I need to get the absolute path from audit events. An audit event can
> contain a relative path in the PATH record - if I concatenate the path
> in the CWD record with the relative path in the PATH record, do I
> always get the absolute path?

Sort of - you probably need to run the concatenated string through realpath() 
to canonicalize the path.

> Also, some audit events contain more than one PATH record, for example:
> type=SYSCALL msg=audit(1274190814.081:7): arch=c000003e syscall=165
> success=yes exit=0 a0=1783fe0 a1=1784000 a2=1784020
> a3=ffffffffc0ed0006 items=2 ppid=26725 pid=26726 auid=0 uid=0 gid=0
> euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295
> comm="mount" exe="/bin/mount" key=(null)
> type=CWD msg=audit(1274190814.081:7):  cwd="/"
> type=PATH msg=audit(1274190814.081:7): item=0 name="/media/flash"
> inode=15592 dev=08:02 mode=040700 ouid=0 ogid=0 rdev=00:00
> type=PATH msg=audit(1274190814.081:7): item=1 name=(null) inode=395117
> dev=00:0c mode=060660 ouid=0 ogid=6 rdev=08:11
> Is the first PATH record more important than the others?

The one with name=null should be thrown away. I forget why we have those, but 
the one with actual text is the right one. Also note that both name and cwd 
follow the hex encoded field rules. If you are using auparse to examine the 
records, you will always want to use the interpreted values.


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]