Seaudit in fedora Core 4
Stephen Smalley
sds at tycho.nsa.gov
Thu Nov 10 18:27:54 UTC 2005
On Thu, 2005-11-10 at 12:46 -0300, Ma. Alejandra Castillo wrote:
> I am occupying the tool seaudit in fedora core 4, but the fields host
> and executablee they appear always empty, what is very strange. I am
> charging /var/log/audit.log, some suggestion so that these fields
> appear?
Logging of the executable path migrated from the SELinux avc audit code
to the syscall audit code due to a deadlock issue, so avc messages only
include the comm= information now. However, whenever an avc message is
generated, a syscall audit record is also generated when the syscall
exits, and that includes the exe= information. The two messages can be
correlated using the audit event id. I don't know if newer versions of
seaudit perform such correlation or not.
--
Stephen Smalley
National Security Agency
More information about the fedora-selinux-list
mailing list