From mboxrd@z Thu Jan  1 00:00:00 1970
From: Matthew Booth <mbooth@redhat.com>
Subject: Re: Format of audit logs
Date: Sun, 13 May 2007 19:17:54 +0100
Message-ID: <1179080274.4251.19.camel@localhost.localdomain>
References: <1178647326.4728.2.camel@localhost.localdomain>
	<200705131247.47703.sgrubb@redhat.com>
Mime-Version: 1.0
Content-Type: multipart/mixed; boundary="===============1470994699=="
Return-path: <linux-audit-bounces@redhat.com>
In-Reply-To: <200705131247.47703.sgrubb@redhat.com>
List-Unsubscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/linux-audit>
List-Post: <mailto:linux-audit@redhat.com>
List-Help: <mailto:linux-audit-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=subscribe>
Sender: linux-audit-bounces@redhat.com
Errors-To: linux-audit-bounces@redhat.com
To: Steve Grubb <sgrubb@redhat.com>
Cc: linux-audit@redhat.com
List-Id: linux-audit@redhat.com


--===============1470994699==
Content-Type: multipart/signed; micalg=pgp-sha1;
	protocol="application/pgp-signature";
	boundary="=-2osCUh7Diw0Q7YDcLMx4"


--=-2osCUh7Diw0Q7YDcLMx4
Content-Type: text/plain
Content-Transfer-Encoding: quoted-printable

On Sun, 2007-05-13 at 12:47 -0400, Steve Grubb wrote:
> On Tuesday 08 May 2007 14:02:06 Matthew Booth wrote:
> > Can anybody point me to a document which describes the format of logs
> > generated by auditd in RHEL 4.
>=20
> I have not created such a document. I don't know if anyone else has eithe=
r. I=20
> plan to start creating a bunch of documentation for the audit system this=
=20
> summer.

Ok. In the mean time, can you fill me in on exactly how a PATH record is
added to an event? For example, on execve(), why would I get a PATH
record for both the binary being executed and the ld library? The latter
didn't have a name, just an inode.

Matt
--=20
Matthew Booth, RHCA, RHCSS
Red Hat, Global Professional Services

M:       +44 (0)7977 267231
GPG ID:  D33C3490
GPG FPR: 3733 612D 2D05 5458 8A8A 1600 3441 EA19 D33C 3490

--=-2osCUh7Diw0Q7YDcLMx4
Content-Type: application/pgp-signature; name=signature.asc
Content-Description: This is a digitally signed message part

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)

iD8DBQBGR1ZSNEHqGdM8NJARAjv9AKCDbzrZQ15AHL9W7qr82ykHXDh12wCfWobt
nfTj0t18Jl4O0l0AatUFjKI=
=mefV
-----END PGP SIGNATURE-----

--=-2osCUh7Diw0Q7YDcLMx4--


--===============1470994699==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline


--===============1470994699==--