From mboxrd@z Thu Jan  1 00:00:00 1970
From: Steve Grubb <sgrubb@redhat.com>
Subject: Re: How to retrieve pointer arguments' value
Date: Thu, 6 Mar 2008 06:21:46 -0500
Message-ID: <200803060621.46877.sgrubb@redhat.com>
References: <b807c37c0803052045n227cd6cdi3c2eeaa2549216ea@mail.gmail.com>
Mime-Version: 1.0
Content-Type: text/plain;
  charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
Return-path: <linux-audit-bounces@redhat.com>
Received: from vpn-14-108.rdu.redhat.com (vpn-14-108.rdu.redhat.com
	[10.11.14.108])
	by mail.boston.redhat.com (8.13.1/8.13.1) with ESMTP id m26BLvxk012026
	for <linux-audit@redhat.com>; Thu, 6 Mar 2008 06:21:57 -0500
In-Reply-To: <b807c37c0803052045n227cd6cdi3c2eeaa2549216ea@mail.gmail.com>
Content-Disposition: inline
List-Unsubscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/linux-audit>
List-Post: <mailto:linux-audit@redhat.com>
List-Help: <mailto:linux-audit-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=subscribe>
Sender: linux-audit-bounces@redhat.com
Errors-To: linux-audit-bounces@redhat.com
To: linux-audit@redhat.com
List-Id: linux-audit@redhat.com

On Wednesday 05 March 2008 23:45:26 Marius.bao wrote:
>     Some of the syscalls provide pointer arguments, but the audit just
> provide the pointer value, not the data it pointers to. How can I
> retrieve the value the argument pointers to?

The audit system captures important information about the object in other 
records that are part of the same event. For example, the filename of the 
open command is in a PATH record, addresses of connect are in SOCKADDR 
records, etc. Is there some important information about a security relevant  
object that we missed?

-Steve