Question regarding audit message interpretation

Hi, all I have a question regarding how to interpret the audit message that we got for an open system call. In most cases, we observe a single item (path) information followed by 'syscall' and 'cwd' messages. However, in some cases, we see 2 or 3 items (paths) followed by 'syscall' and 'cwd' messages like following cases. CASE 1: Jan 14 11:00:01 hostname kernel: [4980285.399982] type=1300 audit(1421233201.056:893730395): arch=c000003e syscall=2 success=yes exit=5 a0=7ffff4ae5830 a1=c2 a2=180 a3=2233546f14d99 items=2 ppid=983 pid=5723 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm="cron" exe="/usr/sbin/cron" key=(null) Jan 14 11:00:01 hostname kernel: [4980285.399985] type=1307 audit(1421233201.056:893730395): cwd="/var/spool/cron" Jan 14 11:00:01 hostname kernel: [4980285.399988] type=1302 audit(1421233201.056:893730395): item=0 name="/tmp/" inode=40961 dev=ca:01 mode=041777 ouid=0 ogid=0 rdev=00:00 Jan 14 11:00:01 hostname kernel: [4980285.399990] type=1302 audit(1421233201.056:893730395): item=1 name="/tmp/tmpfS9woiP" inode=30733 dev=ca:01 mode=0100600 ouid=0 ogid=0 rdev=00:00 CASE 2: Jan 14 11:19:37 hostname kernel: [4981461.529450] type=1300 audit(1421234377.184:894228556): arch=c000003e syscall=2 success=yes exit=5 a0=fa9700 a1=441 a2=1b6 a3=0 items=3 ppid=5727 pid=5728 auid=4294967295 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 ses=4294967295 tty=(none) comm="Run" exe="/usr/bin/perl" key=(null) Jan 14 11:19:37 hostname kernel: [4981461.529454] type=1307 audit(1421234377.184:894228556): cwd="/home/ubuntu/benchmarks/UnixBench/testdir" Jan 14 11:19:37 hostname kernel: [4981461.529458] type=1302 audit(1421234377.184:894228556): item=0 name="/home/ubuntu/benchmarks/UnixBench/results/" inode=396144 dev=ca:01 mode=040775 ouid=1000 ogid=1000 rdev=00:00 Jan 14 11:19:37 hostname kernel: [4981461.529460] type=1302 audit(1421234377.184:894228556): item=1 name=(null) inode=440344 dev=ca:01 mode=0100664 ouid=1000 ogid=1000 rdev=00:00 Jan 14 11:19:37 hostname kernel: [4981461.529463] type=1302 audit(1421234377.184:894228556): item=2 name=(null) inode=440344 dev=ca:01 mode=0100664 ouid=1000 ogid=1000 rdev=00:00 I investigated audit source code a bit and found out that these are produced as a result of enumerations over audit_context.names_list data structure. But, I'm still not clear how and when entries for this data structure are filled. Could anyone explain what would it mean to have multiple items (paths) means for a single open syscall invocation? Thanks a lot for your help in advance. Regards, Kangkook