audit 0.9.12 released
David Woodhouse
dwmw2 at infradead.org
Thu Jun 23 21:08:19 UTC 2005
On Thu, 2005-06-23 at 15:16 -0400, Steve Grubb wrote:
> However...I looked at the user filtering and it is not working. I think I know
> why. netlink is an async interface. This means that the task may not be alive
> when the user message is processed. It currently detects the and returns
> -ESRCH, but the sender is long gone.
The sender isn't long gone; if it has disappeared without waiting for
the ack (as libaudit does) then the -ESRCH will mean that the message
isn't logged.
If you send a message and disappear without waiting for the ack, then
your message may or may not get logged. If it _is_ logged, then it'll be
logged with the correct credentials.
I think it's OK to declare that sending a message without waiting for
the ack is not guaranteed to work.
I'm more interested in finding the real reason why it didn't work. Were
you setting the syscall bitmask to all ones in auditctl?
--
dwmw2
More information about the Linux-audit
mailing list