audit 0.6.10 released
David Woodhouse
dwmw2 at infradead.org
Tue Apr 5 20:47:49 UTC 2005
On Tue, 2005-04-05 at 16:17 -0400, Steve Grubb wrote:
> David, how did you intend userspace to compute a correct value? For
> example, my 2 bit machine has arch=40000003.
0x80000000 is a flag for '64-bit'
0x40000000 is a flag for 'little-endian'
The lower 16 bits are the ELF machine type. 3 is presumably EM_386. This
was discussed on the list between Chris and myself when the patch was
sent for viewing.
> I also just noticed that success is now "yes" or "no". It was 0 and 1
Unless I'm mistaken, there was no explicit report of 'success=' before;
this is new information. Before, there was merely 'exit=', and we were
making unwarranted inferences from it -- some architectures explicitly
report success/failure in a condition code register rather than using
small negative numbers _only_ to indicate failure. Perhaps you're
thinking of the AUDIT_SUCCESS filter, which should still work as
expected?
--
dwmw2
More information about the Linux-audit
mailing list