Eric Paris <[EMAIL PROTECTED]> writes: > So I'd say change all your stuff to look only at a0 for clone and > someone (sgrubb already knows) needs to fix auparse to look for the > flags in a0 not in a2.
I notice the name of the getdents64 system call is printed as getdents. I'll carefully study the output of strace and autrace on all the system calls I monitor, and supply a patch that fixes discrepancies. The code in auparse/interpret.c seems straightforward. John -- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
