Getting the program name in audit messages
David Woodhouse
dwmw2 at infradead.org
Fri Apr 1 13:36:28 UTC 2005
On Fri, 2005-04-01 at 08:18 -0500, Stephen Smalley wrote:
> Whenever avc_audit() generates a log message via audit_log*, the
> auditable flag is enabled, so audit_log_exit() will be called upon
> syscall exit and the exe= and comm= information will then be provided at
> that time, and can be correlated with the avc message using the
> timestamp and serial number.
Setting the auditable flag is only going to cause audit_log_exit() to be
called on syscall exit _if_ audit_syscall_exit() is actually called.
That's often in the slow path of the syscall return, and triggered only
if something like TIF_SYSCALL_AUDIT is set in the thread_info flags.
--
dwmw2
More information about the Linux-audit
mailing list