[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: [RFC][PATCH] (#6 U1) the latest incarnation



On Thu, 2005-03-24 at 11:00 -0600, Timothy R. Chavez wrote:
> Hmmm...  Here's what I get:
> 
> ./auditctl -w /audit/foo -k fk_foo
> cat /audit/foo
> 
> audit(1111683374.383:13808290): name="foo" filterkey=fk_foo perm=0 perm_mask=4 
> inode=962899 inode_uid=0 inode_gid=0 inode_dev=03:03 inode_rdev=00:00
> audit(1111683374.383:13808290): syscall=5 exit=3 a0=bffff8a3 a1=8000 a2=0 
> a3=8000 items=1 pid=31676 loginuid=-1 uid=0 gid=0 euid=0 suid=0 fsuid=0 
> egid=0 sgid=0 fsgid=0
> audit(1111683374.383:13808290): item=0 name="/audit/foo" inode=962899 
> dev=00:00
> 
> This seems to be a complete a record.  I add an additional watch:

It has all of the desired information, but is being emitted as multiple
audit records (which can be correlated using the timestamp/serial
number), and the first line is being emitted immediately by your hook
while the latter two are being emitted by the audit_log_exit upon
audit_syscall_exit.  The question is whether we want your older approach
(save information in current audit context for later processing by
audit_log_exit), with just the modification of setting the auditable
flag to ensure generation, or the approach in your current patch, which
is more like what SELinux does presently.

-- 
Stephen Smalley <sds tycho nsa gov>
National Security Agency


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]