Re: Should open syscall records occur without a path record?
Steve Grubb <sgrubb(a)redhat.com> writes:
There should be a PATH record for every open. Have you verified the
logs or trusting ausearch?
The short version of what I found is that the missing PATH records
always appear in the raw logs, but both ausearch and auparse fail to
return some PATH records with their associated SYSCALL record. A PATH
record gets ignored when another syscall event record occurs between
the SYSCALL record and the PATH record.
I'll send you a long version of my results off line as the data to
support the report is voluminous.
John