How to reconstruct file path from PATH records?
Steve Grubb
sgrubb at redhat.com
Wed Dec 8 17:42:17 UTC 2010
On Tuesday, December 07, 2010 01:21:27 am Dilin Mao wrote:
> We are developing a system to monitor file operations, the difficulties
> is how to reconstruct file path from audit records. we have written some
> testcases for system calls of file/dir operation, and found that the
> numbers of path records differs when we try different combinations of
> absolute or relative pathname. For rename/renameat function, we have seen
> four or five path records per system call, for link/linkat function, the
> number of path records is two or three. Is there any rule for how the path
> records is generated?
I was hoping one of the kernel developers was going to answer this.
> We have also found that the file path can't be reconstruct correctly
> sometimes. Taken linkat function as example:
By any chance, can you share the testcase source code? I'm sure I could write it from
scratch, but it might help expedite the discussion if you could share that.
Thanks,
-Steve
More information about the Linux-audit
mailing list