Aha - it actually says "xxxx (deleted)". Which is OK I guess. But I would have thought that the unstrusted string routine would know that this is a string generated by the kernel audit system and so not escape it
-----Original Message----- From: Steve Grubb [mailto:[EMAIL PROTECTED] Sent: Saturday, May 05, 2007 6:34 AM To: [email protected] Cc: paul moore Subject: Re: hexified path in cwd audit message if dir no longer exists On Friday 04 May 2007 20:47:19 paul moore wrote: > Occasiaonally I get a CWD audit message that has a hexified path in it. > Like this > > $1 = "audit(1178324383.479:1566): > cwd=2F70726F632F35373336202864656C6574656429\000 > This is "/proc/5736" Could you tell me what you get when you pull this event's record out with ausearch -i ? -Steve -- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
