Should open syscall records occur without a path record?

I have a test suite that generates every system call analyzed by our package. The suite runs several programs that do a variety of things, including opening files. I traced the set of programs, and retrieved the records using ausearch -r -p P > P.txt where P is the process ID of each traced program. When I attempt to analyze the logs, my program blows up because it assumes that every syscall audit event for the open syscall will include a PATH record. I made a quick edit of the analysis program, and discovered that 24 open syscall records have no PATH record, and sometimes the CWD record is missing too. $ python auditopen.py -i ../autsv/*.txt Of 421 events with a SYSCALL record with syscall=open 401 have CWD 397 have PATH 0 have CWD but no PATH $ Is it appropriate for audit analysis programs to assume a PATH record will be available with every open syscall event? I cannot see how to do my analysis without the PATH record.