audit 0.6 release

Steve Grubb sgrubb at redhat.com
Fri Jan 7 15:12:59 UTC 2005


On Friday 07 January 2005 09:44, Browder, Tom wrote:
> Notice that I can get the file name, the system call, and the exit
> status of unlink (but I suspect the print format for the exit code is %u
> instead of %d, thus the apparent large number probably from a negative 
> exit code). 

Yes. We've been talking about that. Also translating the syscall from a number 
to its proper text name.

auditsc.c in audit_log_exit function
         if (context->return_valid)
                 audit_log_format(ab, " exit=%u", context->return_code);

That should be %d.

> But do there have to be two messages?  

I asked that question Wednesday. Why does log exit loop spitting out little 
messages instead of 1. I think we decided to leave it as is and query tools 
need to handle multiple records.

> (can I assume the messages always come in matching, adjacent pairs?).

Yes

> To sum up, I believe I can write a perl parser to do what I need now
> (assuming the exit code is correct), even though the message traffic is
> so high. 

The success option is what will help you lower the number of records the 
kernel sends to user space. I suppose we need to figure out its correct usage 
or if its broken.

-Steve Grubb




More information about the Linux-audit mailing list