Hi,
We are developing a system to monitor file operations, the difficulties is how to reconstruct file path from audit records. we have written some testcases for system calls of file/dir operation, and found that the numbers of path records differs when we try different combinations of absolute or relative pathname. For rename/renameat function, we have seen four or five path records per system call, for link/linkat function, the number of path records is two or three. Is there any rule for how the path records is generated?
We have also found that the file path can't be reconstruct correctly sometimes. Taken linkat function as example:
olddirfd = open("/home/dlmao/test-syscall/tests/tmpdir",O_RDONLY);
newdirfd = open("/home/dlmao/test-syscall/tests/tmpdir",O_RDONLY);
linkat(olddirfd,"tmp.f1C3HgoJ1K",newdirfd,"tmpfile4",0)
but the audit record outputted is:
type=SYSCALL msg=audit(1291697940.405:66): arch=40000003 syscall=303 success=yes exit=0 a0=3 a1=bfe7ff2c a2=4 a3=bfe7feac items=3 ppid=3573 pid=3609 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=4294967295 comm="test-linkat" exe="/home/dlmao/test-syscall/tests/test-linkat" key=(null)
type=CWD msg=audit(1291697940.405:66): cwd="/home/dlmao/test-syscall/tests"
type=PATH msg=audit(1291697940.405:66): item=0 name="tmp.f1C3HgoJ1K" inode=284275 dev=08:01 mode=0100600 ouid=0 ogid=0 rdev=00:00
type=PATH msg=audit(1291697940.405:66): item=1 name="/home/dlmao/test-syscall/tests" inode=287306 dev=08:01 mode=040755 ouid=0 ogid=0 rdev=00:00
type=PATH msg=audit(1291697940.405:66): item=2 name="tmpfile4" inode=284275 dev=08:01 mode=0100600 ouid=0 ogid=0 rdev=00:00