Hi Steve,
If you do a 'find . -inum 770531' do you find anything?
-debbie
linux-audit-bounces@redhat.com wrote on 06/07/2005 01:29:22 PM:
> Hello,
> ran another test on .56 kernel. I wanted to make sure we are logging
> parameters for execve so we can see what is being executed:
> type=PATH msg=audit(06/07/05 14:14:28.592:5004271) : item=1 inode=770531
> dev=03:02 mode=file,755 ouid=root ogid=root rdev=00:00
> type=PATH msg=audit(06/07/05 14:14:28.592:5004271) : item=0 name=/bin/ls
> inode=1048599 dev=03:02 mode=file,755 ouid=root ogid=root rdev=00:00
> type=CWD msg=audit(06/07/05 14:14:28.592:5004271) : cwd=/root
> type=SYSCALL msg=audit(06/07/05 14:14:28.592:5004271) : arch=i386
> syscall=execve success=yes exit=0 a0=9195ab8 a1=91a9838 a2=91b1900 a3=91a9838
> items=2 pid=4167 auid=sgrubb uid=root gid=root euid=root suid=root fsuid=root
> egid=root sgid=root fsgid=root comm=ls exe=/bin/ls
> What is the first PATH record showing? I was expecting only 1 item, not 2.
> There is no name, yet the mode says its a file. I've checked several apps
> doing execve, they all have the same first record with same inode no matter
> what I run.
> -Steve
> --
> Linux-audit mailing list
> Linux-audit@redhat.com
> http://www.redhat.com/mailman/listinfo/linux-audit