From mboxrd@z Thu Jan 1 00:00:00 1970 From: Eric Paris Subject: Re: linux-audit: reconstruct path names from syscall events? Date: Fri, 07 Oct 2011 14:27:53 -0400 Message-ID: <1318012073.3420.4.camel@localhost> References: <20110917001215.GA961@zombie.hq.fstein.net> <201110010831.57449.sgrubb@redhat.com> <4E8A1021.7090602@schaufler-ca.com> <20111004220855.GA18718@zombie.hq.fstein.net> <1317995458.3304.9.camel@localhost> <4E8F34D7.1030407@schaufler-ca.com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Return-path: In-Reply-To: <4E8F34D7.1030407@schaufler-ca.com> List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: Casey Schaufler Cc: linux-audit@redhat.com List-Id: linux-audit@redhat.com On Fri, 2011-10-07 at 10:20 -0700, Casey Schaufler wrote: > On 10/7/2011 6:50 AM, Eric Paris wrote: > > Casey only talked about the easy part of the reason the pathnames are > > useless. He forgot to mention > > I didn't forgot to mention the whole mount point thingy. > People always get hung up in coming up with ways to explain > around the problem, and having already identified the root > cause of the problem Ok fair enough. I guess I just saw two root problems not just one. You mentioned there existing multiple names for the same object. I was thinking of the of there not existing any name for an object which makes sense at a 'system wide' level. In any case. We might be able to get some more pathname like info, but it's never (like Casey so sagely said) going to be truely useful.... -Eric