Unique audit record type ranges for individual LSMs
Laurent Bigonville
bigon at debian.org
Mon Dec 18 10:28:17 UTC 2017
Le 06/12/17 à 18:51, Tyler Hicks a écrit :
> If so, does everyone agree that 1500-1599 would be acceptable for
> AppArmor to use?
FTR, the apparmor usespace library seems to support the 15xx range for
quite sometimes already, I see the following commit in the git repository:
commit a6a88a4dd7ec9fd59b01c27f8cd40f653386107b
Author: Steve Beattie <steve at nxnw.org>
Date: Fri Sep 14 14:00:48 2007 +0000
This patch adds support to the logparsing library for the type=15xx
flags when events come through the audit subsystem. It also fixes the
case where the audit daemon has not been configured with apparmor
support and the events are reported as type=UNKNOWN[15xx].
It also fixes the testsuite dependencies so that they will get relinked
when the library changes.
This commits contains the following used id's:
+/* FIXME: this ought to be pulled from <linux/audit.h> but there's no
+ * guarantee these will exist there. */
+#define AUDIT_APPARMOR_AUDIT 1501 /* AppArmor audited grants */
+#define AUDIT_APPARMOR_ALLOWED 1502 /* Allowed Access for learning */
+#define AUDIT_APPARMOR_DENIED 1503
+#define AUDIT_APPARMOR_HINT 1504 /* Process Tracking information */
+#define AUDIT_APPARMOR_STATUS 1505 /* Changes in config */
+#define AUDIT_APPARMOR_ERROR 1506 /* Internal AppArmor Errors */
+
More information about the Linux-audit
mailing list