Seaudit in fedora Core 4

Stephen Smalley sds at tycho.nsa.gov
Thu Nov 10 18:31:32 UTC 2005


On Thu, 2005-11-10 at 13:27 -0500, Stephen Smalley wrote:
> On Thu, 2005-11-10 at 12:46 -0300, Ma. Alejandra Castillo wrote:
> > I am occupying the tool seaudit in fedora core 4, but the fields host
> > and executablee they appear always empty, what is very strange. I am
> > charging /var/log/audit.log, some suggestion so that these fields
> > appear?
> 
> Logging of the executable path migrated from the SELinux avc audit code
> to the syscall audit code due to a deadlock issue, so avc messages only
> include the comm= information now.  However, whenever an avc message is
> generated, a syscall audit record is also generated when the syscall
> exits, and that includes the exe= information.  The two messages can be
> correlated using the audit event id.  I don't know if newer versions of
> seaudit perform such correlation or not.

BTW, you can also use aureport and ausearch to query the audit logs.

-- 
Stephen Smalley
National Security Agency




More information about the fedora-selinux-list mailing list