* How to reconstruct file path from PATH records?
@ 2010-12-07 6:21 Dilin Mao
2010-12-08 17:42 ` Steve Grubb
0 siblings, 1 reply; 2+ messages in thread
From: Dilin Mao @ 2010-12-07 6:21 UTC (permalink / raw)
To: linux-audit
[-- Attachment #1.1: Type: text/plain, Size: 1715 bytes --]
Hi,
We are developing a system to monitor file operations, the difficulties
is how to reconstruct file path from audit records. we have written some
testcases for system calls of file/dir operation, and found that the numbers
of path records differs when we try different combinations of absolute or
relative pathname. For rename/renameat function, we have seen four or five
path records per system call, for link/linkat function, the number of path
records is two or three. Is there any rule for how the path records is
generated?
We have also found that the file path can't be reconstruct correctly
sometimes. Taken linkat function as example:
olddirfd = open("/home/dlmao/test-syscall/tests/tmpdir",O_RDONLY);
newdirfd = open("/home/dlmao/test-syscall/tests/tmpdir",O_RDONLY);
linkat(olddirfd,"tmp.f1C3HgoJ1K",newdirfd,"tmpfile4",0)
but the audit record outputted is:
type=SYSCALL msg=audit(1291697940.405:66): arch=40000003 syscall=303
success=yes exit=0 a0=3 a1=bfe7ff2c a2=4 a3=bfe7feac items=3 ppid=3573
pid=3609 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0
fsgid=0 tty=pts0 ses=4294967295 comm="test-linkat"
exe="/home/dlmao/test-syscall/tests/test-linkat" key=(null)
type=CWD msg=audit(1291697940.405:66): cwd="/home/dlmao/test-syscall/tests"
type=PATH msg=audit(1291697940.405:66): item=0 name="tmp.f1C3HgoJ1K"
inode=284275 dev=08:01 mode=0100600 ouid=0 ogid=0 rdev=00:00
type=PATH msg=audit(1291697940.405:66): item=1
name="/home/dlmao/test-syscall/tests" inode=287306 dev=08:01 mode=040755
ouid=0 ogid=0 rdev=00:00
type=PATH msg=audit(1291697940.405:66): item=2 name="tmpfile4" inode=284275
dev=08:01 mode=0100600 ouid=0 ogid=0 rdev=00:00
Thanks,
Mao
[-- Attachment #1.2: Type: text/html, Size: 4008 bytes --]
[-- Attachment #2: Type: text/plain, Size: 0 bytes --]
^ permalink raw reply [flat|nested] 2+ messages in thread
* Re: How to reconstruct file path from PATH records?
2010-12-07 6:21 How to reconstruct file path from PATH records? Dilin Mao
@ 2010-12-08 17:42 ` Steve Grubb
0 siblings, 0 replies; 2+ messages in thread
From: Steve Grubb @ 2010-12-08 17:42 UTC (permalink / raw)
To: linux-audit; +Cc: Dilin Mao
On Tuesday, December 07, 2010 01:21:27 am Dilin Mao wrote:
> We are developing a system to monitor file operations, the difficulties
> is how to reconstruct file path from audit records. we have written some
> testcases for system calls of file/dir operation, and found that the
> numbers of path records differs when we try different combinations of
> absolute or relative pathname. For rename/renameat function, we have seen
> four or five path records per system call, for link/linkat function, the
> number of path records is two or three. Is there any rule for how the path
> records is generated?
I was hoping one of the kernel developers was going to answer this.
> We have also found that the file path can't be reconstruct correctly
> sometimes. Taken linkat function as example:
By any chance, can you share the testcase source code? I'm sure I could write it from
scratch, but it might help expedite the discussion if you could share that.
Thanks,
-Steve
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2010-12-08 17:42 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2010-12-07 6:21 How to reconstruct file path from PATH records? Dilin Mao
2010-12-08 17:42 ` Steve Grubb
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.