Seaudit in fedora Core 4
Stephen Smalley
sds at tycho.nsa.gov
Thu Nov 10 18:31:32 UTC 2005
On Thu, 2005-11-10 at 13:27 -0500, Stephen Smalley wrote:
> On Thu, 2005-11-10 at 12:46 -0300, Ma. Alejandra Castillo wrote:
> > I am occupying the tool seaudit in fedora core 4, but the fields host
> > and executablee they appear always empty, what is very strange. I am
> > charging /var/log/audit.log, some suggestion so that these fields
> > appear?
>
> Logging of the executable path migrated from the SELinux avc audit code
> to the syscall audit code due to a deadlock issue, so avc messages only
> include the comm= information now. However, whenever an avc message is
> generated, a syscall audit record is also generated when the syscall
> exits, and that includes the exe= information. The two messages can be
> correlated using the audit event id. I don't know if newer versions of
> seaudit perform such correlation or not.
BTW, you can also use aureport and ausearch to query the audit logs.
--
Stephen Smalley
National Security Agency
More information about the fedora-selinux-list
mailing list