On Thu, Dec 5, 2013 at 7:35 PM, Aaron Lewis <[email protected]> wrote: > Hi, > > If I access a file with relative path, the PATH audit message would be > a relative path as well. > > I wonder if I can change this behavior without modifying the kernel?
IIUC, there should be a CWD message to go along with the PATH message. You should be able to use that to find the absolute path > (It seem audit daemon just receive the msg= field from kernel directly) > > -- > Best Regards, > Aaron Lewis - PGP: 0xDFE6C29E ( http://keyserver.veridis.com ) > Finger Print: 9482 448F C7C3 896C 1DFE 7DD3 2492 A7D0 DFE6 C29E > > -- > Linux-audit mailing list > [email protected] > https://www.redhat.com/mailman/listinfo/linux-audit -- [ Peter Moody | Security Engineer | Google ] -- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
