execve
Steve Grubb
sgrubb at redhat.com
Tue Jun 7 18:29:22 UTC 2005
Hello,
ran another test on .56 kernel. I wanted to make sure we are logging
parameters for execve so we can see what is being executed:
type=PATH msg=audit(06/07/05 14:14:28.592:5004271) : item=1 inode=770531
dev=03:02 mode=file,755 ouid=root ogid=root rdev=00:00
type=PATH msg=audit(06/07/05 14:14:28.592:5004271) : item=0 name=/bin/ls
inode=1048599 dev=03:02 mode=file,755 ouid=root ogid=root rdev=00:00
type=CWD msg=audit(06/07/05 14:14:28.592:5004271) : cwd=/root
type=SYSCALL msg=audit(06/07/05 14:14:28.592:5004271) : arch=i386
syscall=execve success=yes exit=0 a0=9195ab8 a1=91a9838 a2=91b1900 a3=91a9838
items=2 pid=4167 auid=sgrubb uid=root gid=root euid=root suid=root fsuid=root
egid=root sgid=root fsgid=root comm=ls exe=/bin/ls
What is the first PATH record showing? I was expecting only 1 item, not 2.
There is no name, yet the mode says its a file. I've checked several apps
doing execve, they all have the same first record with same inode no matter
what I run.
-Steve
More information about the Linux-audit
mailing list