Seaudit in fedora Core 4
Kevin Carr
kcarr at tresys.com
Tue Nov 15 16:19:53 UTC 2005
> On Thu, 2005-11-10 at 12:46 -0300, Ma. Alejandra Castillo wrote:
> > I am occupying the tool seaudit in fedora core 4, but the fields host
> > and executablee they appear always empty, what is very strange. I am
> > charging /var/log/audit.log, some suggestion so that these fields
> > appear?
>
> Logging of the executable path migrated from the SELinux avc audit code
> to the syscall audit code due to a deadlock issue, so avc messages only
> include the comm= information now. However, whenever an avc message is
> generated, a syscall audit record is also generated when the syscall
> exits, and that includes the exe= information. The two messages can be
> correlated using the audit event id. I don't know if newer versions of
> seaudit perform such correlation or not.
We don't support the syscall records now, so correlation is not supported
either. We are looking into this as it seems useful especially now that
there is less information in the avc messages.
Kevin Carr
Tresys Technology
410.290.1411 x137
More information about the fedora-selinux-list
mailing list