[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: [RFC][PATCH] collect security labels on user processes generating audit messages



On Wed, 2006-02-15 at 13:18 -0500, Linda Knippers wrote:
> Steve Grubb wrote:
> > On Wednesday 15 February 2006 12:17, Linda Knippers wrote:
> > 
> >>How can I tell from the audit records that the file name was "(null)"
> >>vs. having "(null)" manufactured by the audit system?
> > 
> > 
> > ls -i "(null)"
> > 
> > and then compare inode values.
> 
> The inode could be long gone by the time I'm looking at the audit log.
> 
> -- ljk
> 
> 

A clumsy way of doing it would be to encode the file name "(null)" in
hex.  If it shows up at "(null)" in the log, then we know we meant NULL.

-tim


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]