open record looks like openat
John D. Ramsdell
ramsdell at mitre.org
Fri Jul 27 15:15:59 UTC 2007
I notice that /bin/rm no longer uses the unlink system call, but
instead uses unlinkat.
Steve Grubb <sgrubb at redhat.com> writes:
> But openat does give a different output:
...
> Low and behold the record changes to this:
Note that my trick of looking at the last path record for the file
name works for both forms of openat events. It also works with unlink
and unlinkat.
I guess I had better add programs that use openat to my test suite, so
as to ensure the trick works.
John
More information about the Linux-audit
mailing list