audit 0.6 release
Steve Grubb
sgrubb at redhat.com
Fri Jan 7 15:12:59 UTC 2005
On Friday 07 January 2005 09:44, Browder, Tom wrote:
> Notice that I can get the file name, the system call, and the exit
> status of unlink (but I suspect the print format for the exit code is %u
> instead of %d, thus the apparent large number probably from a negative
> exit code).
Yes. We've been talking about that. Also translating the syscall from a number
to its proper text name.
auditsc.c in audit_log_exit function
if (context->return_valid)
audit_log_format(ab, " exit=%u", context->return_code);
That should be %d.
> But do there have to be two messages?
I asked that question Wednesday. Why does log exit loop spitting out little
messages instead of 1. I think we decided to leave it as is and query tools
need to handle multiple records.
> (can I assume the messages always come in matching, adjacent pairs?).
Yes
> To sum up, I believe I can write a perl parser to do what I need now
> (assuming the exit code is correct), even though the message traffic is
> so high.
The success option is what will help you lower the number of records the
kernel sends to user space. I suppose we need to figure out its correct usage
or if its broken.
-Steve Grubb
More information about the Linux-audit
mailing list