open record looks like openat
John D. Ramsdell
ramsdell at mitre.org
Fri Jul 27 17:57:22 UTC 2007
"Wieprecht, Karen M." <Karen.Wieprecht at jhuapl.edu> writes:
> I'm probably out of my league by responding here, but some syscall
> records do have more than one path.
You are correct. I would expect the rename(2) system call to have two
PATH records, and the renameat(4) call to have four. I suppose I
should see what a renameat audit record looks like given Steve's
interesting findings about openat.
John
More information about the Linux-audit
mailing list