[PATCH] Fixed reason field in audit signal logging
Steve Grubb
sgrubb at redhat.com
Thu Nov 7 16:11:09 UTC 2013
On Thursday, November 07, 2013 10:42:21 AM Eric Paris wrote:
> > I am confused. This is the abnormal end event I have:
> >
> >
> > type=ANOM_ABEND msg=audit(1303339663.307:142): auid=4325 uid=0 gid=0
> > ses=1
> > subj=unconfined_u:unconfined_r:unconfined_t:s0 pid=3775 comm="aureport"
> > sig=11>
> >
> >
> > Why / when did we start adding text explanations? We should not do that.
> > We didn't have it before and it should not have been added. The signal
> > number is enough to identify the problem.
>
> We started adding a reason when seccomp started sending ANOM_ABEND
> events as well. It doesn't do so with a signal. Agreed, the " " is/was
> a bad idea...
Does seccomp still send these? I see there is an AUDIT_SECCOMP event being
sent by __audit_seccomp(). Does seccomp do anything with ABEND at this point?
-Steve
More information about the Linux-audit
mailing list