Aha - it actually says "xxxx (deleted)".
Which is OK I guess. But I would have thought that the unstrusted string
routine would know that this is a string generated by the kernel audit
system and so not escape it
-----Original Message-----
From: Steve Grubb [mailto:sgrubb@redhat.com]
Sent: Saturday, May 05, 2007 6:34 AM
To: linux-audit(a)redhat.com
Cc: paul moore
Subject: Re: hexified path in cwd audit message if dir no longer exists
On Friday 04 May 2007 20:47:19 paul moore wrote:
Occasiaonally I get a CWD audit message that has a hexified path in
it.
Like this
$1 = "audit(1178324383.479:1566):
cwd=2F70726F632F35373336202864656C6574656429\000
This is "/proc/5736"
Could you tell me what you get when you pull this event's record out with
ausearch -i ?
-Steve