From mboxrd@z Thu Jan 1 00:00:00 1970 From: ramsdell@mitre.org (John D. Ramsdell) Subject: Re: open record looks like openat Date: 27 Jul 2007 13:57:22 -0400 Message-ID: References: <200707251621.38095.sgrubb@redhat.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Return-path: Received: from mx1.redhat.com (mx1.redhat.com [172.16.48.31]) by int-mx1.corp.redhat.com (8.13.1/8.13.1) with ESMTP id l6RHvOQS002750 for ; Fri, 27 Jul 2007 13:57:24 -0400 Received: from smtp-mclean.mitre.org (smtpproxy2.mitre.org [192.80.55.71]) by mx1.redhat.com (8.13.1/8.13.1) with ESMTP id l6RHvNjh001179 for ; Fri, 27 Jul 2007 13:57:23 -0400 Received: from smtp-mclean.mitre.org (localhost.localdomain [127.0.0.1]) by smtp-mclean.mitre.org (8.12.11.20060308/8.12.11) with SMTP id l6RHvMNB004380 for ; Fri, 27 Jul 2007 13:57:22 -0400 Received: from smtp-mclean.mitre.org (localhost.localdomain [127.0.0.1]) by smtp-mclean.mitre.org (Postfix) with ESMTP id C91124F8D9 for ; Fri, 27 Jul 2007 13:57:22 -0400 (EDT) In-Reply-To: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: "Wieprecht, Karen M." Cc: Linux Audit List-Id: linux-audit@redhat.com "Wieprecht, Karen M." writes: > I'm probably out of my league by responding here, but some syscall > records do have more than one path. You are correct. I would expect the rename(2) system call to have two PATH records, and the renameat(4) call to have four. I suppose I should see what a renameat audit record looks like given Steve's interesting findings about openat. John