dev information for open, exec?
Chris Wright
chrisw at osdl.org
Tue Feb 22 17:54:42 UTC 2005
* Erich Schubert (erich.schubert at gmail.com) wrote:
> The log lines i get look like the following:
> type=KERNEL msg=audit(1109035917.261:14548): item=0
> name=/usr/share/locale/de/LC_MESSAGES/coreutils.mo inode=852010
> dev=00:00
> and the dev=00:00 value is bogus; I never get a different value.
The dev value is actually rdev. So it's not bogus if you're accessing,
for example, /dev/hda1. Reasonable question whether that's both
intentional and sufficient. Given namespace possibilities, I assumed
that dev/ino pair was dumped to uniquely identify the object.
thanks,
-chris
--
Linux Security Modules http://lsm.immunix.org http://lsm.bkbits.net
More information about the Linux-audit
mailing list