[RFC][PATCH] loginuid through procfs (+ a question)

Steve Grubb sgrubb at redhat.com
Fri Jan 7 21:14:10 UTC 2005


On Friday 07 January 2005 16:58, Serge Hallyn wrote:
> A related question:  On receipt of a AUDIT_USER message, we log the pid
> and uid, but not the loginuid.  

You mean in af_netlink.c? That info comes from the netlink credentials.

> Is it ok to force the user-space code to search through previous log 
> entries to determine the correct loginuid, or would we prefer to send 
> the loginuid in the log entry?

I had no plans to do that. I think if there's a reason that the information is 
needed then the kernel should collect it and send it in the audit packet 
instead of userspace gluing it together. The critical piece of info may have 
occurred before the log starts or in another log if it rotated (recurring 
cron job). It just gets messy. Better to collect it if its required. My 2 
cents.

-Steve Grubb




More information about the Linux-audit mailing list