Hi Steve,
If you do a 'find . -inum 770531' do you find anything?
-debbie
linux-audit-bounces(a)redhat.com wrote on 06/07/2005 01:29:22 PM:
Hello,
ran another test on .56 kernel. I wanted to make sure we are logging
parameters for execve so we can see what is being executed:
type=PATH msg=audit(06/07/05 14:14:28.592:5004271) : item=1
inode=770531
dev=03:02 mode=file,755 ouid=root ogid=root rdev=00:00
type=PATH msg=audit(06/07/05 14:14:28.592:5004271) : item=0 name=/bin/ls
inode=1048599 dev=03:02 mode=file,755 ouid=root ogid=root rdev=00:00
type=CWD msg=audit(06/07/05 14:14:28.592:5004271) : cwd=/root
type=SYSCALL msg=audit(06/07/05 14:14:28.592:5004271) : arch=i386
syscall=execve success=yes exit=0 a0=9195ab8 a1=91a9838 a2=91b1900
a3=91a9838
items=2 pid=4167 auid=sgrubb uid=root gid=root euid=root suid=root
fsuid=root
egid=root sgid=root fsgid=root comm=ls exe=/bin/ls
What is the first PATH record showing? I was expecting only 1 item,
not
2.
There is no name, yet the mode says its a file. I've checked
several apps
doing execve, they all have the same first record with same inode no
matter
what I run.
-Steve
--
Linux-audit mailing list
Linux-audit(a)redhat.com
http://www.redhat.com/mailman/listinfo/linux-audit