Steve Grubb <[EMAIL PROTECTED]> writes: > There should be a PATH record for every open. Have you verified the > logs or trusting ausearch?
The short version of what I found is that the missing PATH records always appear in the raw logs, but both ausearch and auparse fail to return some PATH records with their associated SYSCALL record. A PATH record gets ignored when another syscall event record occurs between the SYSCALL record and the PATH record. I'll send you a long version of my results off line as the data to support the report is voluminous. John -- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
