From mboxrd@z Thu Jan  1 00:00:00 1970
From: Steve Grubb <sgrubb@redhat.com>
Subject: Re: Should open syscall records occur without a path record?
Date: Mon, 23 Jul 2007 09:51:46 -0400
Message-ID: <200707230951.46896.sgrubb@redhat.com>
References: <ogtr6mzz2pp.fsf@oolong.mitre.org>
Mime-Version: 1.0
Content-Type: text/plain;
  charset="utf-8"
Content-Transfer-Encoding: 7bit
Return-path: <linux-audit-bounces@redhat.com>
In-Reply-To: <ogtr6mzz2pp.fsf@oolong.mitre.org>
Content-Disposition: inline
List-Unsubscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/linux-audit>
List-Post: <mailto:linux-audit@redhat.com>
List-Help: <mailto:linux-audit-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=subscribe>
Sender: linux-audit-bounces@redhat.com
Errors-To: linux-audit-bounces@redhat.com
To: linux-audit@redhat.com
List-Id: linux-audit@redhat.com

On Monday 23 July 2007 09:09:22 John D. Ramsdell wrote:
> Is it appropriate for audit analysis programs to assume a PATH record
> will be available with every open syscall event?  I cannot see how to
> do my analysis without the PATH record.

There should be a PATH record for every open. Have you verified the logs or 
trusting ausearch? (Trying to figure out if there is a kernel problem or 
search problem.) As a first step, I'd construct some kind of regex command to 
see if you can verify that the kernel is recording PATH records for all 
opens. You may need to narrow the test case so that there aren't as many 
records to dig through.

-Steve