I have a test suite that generates every system call analyzed by our
package.  The suite runs several programs that do a variety of things,
including opening files.  I traced the set of programs, and retrieved
the records using

ausearch -r -p P > P.txt

where P is the process ID of each traced program.

When I attempt to analyze the logs, my program blows up because it
assumes that every syscall audit event for the open syscall will
include a PATH record.  I made a quick edit of the analysis program,
and discovered that 24 open syscall records have no PATH record, and
sometimes the CWD record is missing too.

$ python auditopen.py -i ../autsv/*.txt
Of 421 events with a SYSCALL record with syscall=open
401 have CWD
397 have PATH
0 have CWD but no PATH
$

Is it appropriate for audit analysis programs to assume a PATH record
will be available with every open syscall event?  I cannot see how to
do my analysis without the PATH record.