execve
Debora Velarde
dvelarde at us.ibm.com
Tue Jun 7 18:38:01 UTC 2005
Hi Steve,
If you do a 'find . -inum 770531' do you find anything?
-debbie
linux-audit-bounces at redhat.com wrote on 06/07/2005 01:29:22 PM:
> Hello,
> ran another test on .56 kernel. I wanted to make sure we are logging
> parameters for execve so we can see what is being executed:
> type=PATH msg=audit(06/07/05 14:14:28.592:5004271) : item=1 inode=770531
> dev=03:02 mode=file,755 ouid=root ogid=root rdev=00:00
> type=PATH msg=audit(06/07/05 14:14:28.592:5004271) : item=0 name=/bin/ls
> inode=1048599 dev=03:02 mode=file,755 ouid=root ogid=root rdev=00:00
> type=CWD msg=audit(06/07/05 14:14:28.592:5004271) : cwd=/root
> type=SYSCALL msg=audit(06/07/05 14:14:28.592:5004271) : arch=i386
> syscall=execve success=yes exit=0 a0=9195ab8 a1=91a9838 a2=91b1900
a3=91a9838
> items=2 pid=4167 auid=sgrubb uid=root gid=root euid=root suid=root
fsuid=root
> egid=root sgid=root fsgid=root comm=ls exe=/bin/ls
> What is the first PATH record showing? I was expecting only 1 item, not
2.
> There is no name, yet the mode says its a file. I've checked several apps
> doing execve, they all have the same first record with same inode no
matter
> what I run.
> -Steve
> --
> Linux-audit mailing list
> Linux-audit at redhat.com
> http://www.redhat.com/mailman/listinfo/linux-audit
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/linux-audit/attachments/20050607/73cfb188/attachment.htm>
More information about the Linux-audit
mailing list