I notice that /bin/rm no longer uses the unlink system call, but instead uses unlinkat.
Steve Grubb <[EMAIL PROTECTED]> writes: > But openat does give a different output: ... > Low and behold the record changes to this: Note that my trick of looking at the last path record for the file name works for both forms of openat events. It also works with unlink and unlinkat. I guess I had better add programs that use openat to my test suite, so as to ensure the trick works. John -- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
