[RFC][PATCH] loginuid through procfs (+ a question)
Steve Grubb
sgrubb at redhat.com
Fri Jan 7 21:14:10 UTC 2005
On Friday 07 January 2005 16:58, Serge Hallyn wrote:
> A related question: On receipt of a AUDIT_USER message, we log the pid
> and uid, but not the loginuid.
You mean in af_netlink.c? That info comes from the netlink credentials.
> Is it ok to force the user-space code to search through previous log
> entries to determine the correct loginuid, or would we prefer to send
> the loginuid in the log entry?
I had no plans to do that. I think if there's a reason that the information is
needed then the kernel should collect it and send it in the audit packet
instead of userspace gluing it together. The critical piece of info may have
occurred before the log starts or in another log if it rotated (recurring
cron job). It just gets messy. Better to collect it if its required. My 2
cents.
-Steve Grubb
More information about the Linux-audit
mailing list