I'm probably out of my league by responding here, but some syscall records do have more than one path. For instance,
mv file1 file2
will have a path record for both file1 and file2 ... The same type of
thing is true for cp file1 file2
Karen Wieprecht
--
Linux-audit mailing list
[email protected]
https://www.redhat.com/mailman/listinfo/linux-audit
