On Tuesday, December 07, 2010 01:21:27 am Dilin Mao wrote: > We are developing a system to monitor file operations, the difficulties > is how to reconstruct file path from audit records. we have written some > testcases for system calls of file/dir operation, and found that the > numbers of path records differs when we try different combinations of > absolute or relative pathname. For rename/renameat function, we have seen > four or five path records per system call, for link/linkat function, the > number of path records is two or three. Is there any rule for how the path > records is generated? I was hoping one of the kernel developers was going to answer this.
> We have also found that the file path can't be reconstruct correctly > sometimes. Taken linkat function as example: By any chance, can you share the testcase source code? I'm sure I could write it from scratch, but it might help expedite the discussion if you could share that. Thanks, -Steve -- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
