Re: the PATH record
On Tuesday 18 May 2010 10:07:02 am Juraj Hlista wrote:
I need to get the absolute path from audit events. An audit event
can
contain a relative path in the PATH record - if I concatenate the path
in the CWD record with the relative path in the PATH record, do I
always get the absolute path?
Sort of - you probably need to run the concatenated string through realpath()
to canonicalize the path.
Also, some audit events contain more than one PATH record, for
example:
type=SYSCALL msg=audit(1274190814.081:7): arch=c000003e syscall=165
success=yes exit=0 a0=1783fe0 a1=1784000 a2=1784020
a3=ffffffffc0ed0006 items=2 ppid=26725 pid=26726 auid=0 uid=0 gid=0
euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295
comm="mount" exe="/bin/mount" key=(null)
type=CWD msg=audit(1274190814.081:7): cwd="/"
type=PATH msg=audit(1274190814.081:7): item=0 name="/media/flash"
inode=15592 dev=08:02 mode=040700 ouid=0 ogid=0 rdev=00:00
type=PATH msg=audit(1274190814.081:7): item=1 name=(null) inode=395117
dev=00:0c mode=060660 ouid=0 ogid=6 rdev=08:11
Is the first PATH record more important than the others?
The one with name=null should be thrown away. I forget why we have those, but
the one with actual text is the right one. Also note that both name and cwd
follow the hex encoded field rules. If you are using auparse to examine the
records, you will always want to use the interpreted values.
-Steve