linux-audit: reconstruct path names from syscall events?
Eric Paris
eparis at redhat.com
Fri Oct 7 18:27:53 UTC 2011
On Fri, 2011-10-07 at 10:20 -0700, Casey Schaufler wrote:
> On 10/7/2011 6:50 AM, Eric Paris wrote:
> > Casey only talked about the easy part of the reason the pathnames are
> > useless. He forgot to mention
>
> I didn't forgot to mention the whole mount point thingy.
> People always get hung up in coming up with ways to explain
> around the problem, and having already identified the root
> cause of the problem
Ok fair enough. I guess I just saw two root problems not just one. You
mentioned there existing multiple names for the same object. I was
thinking of the of there not existing any name for an object which makes
sense at a 'system wide' level. In any case. We might be able to get
some more pathname like info, but it's never (like Casey so sagely said)
going to be truely useful....
-Eric
More information about the Linux-audit
mailing list