audit message types
Debora Velarde
dvelarde at us.ibm.com
Tue May 10 14:07:05 UTC 2005
+define AUDIT_SYSCALL 1300 /* Syscall event */
+define AUDIT_IPC 1303 /* IPC record */
Does this mean that on X86_64 a record for semget shows up as a record of
type AUDIT_SYSCALL, but on all platforms, it comes out as AUDIT_IPC record?
Also true for other syscalls including: msgctl, msgget, msgrecv, msgsend,
semctl, semop, semtimedop, shmat, shmctl, shmdt, shmget.
+define AUDIT_SOCKET 1304 /* Socket record */
Would this make the bind syscall generate records of type AUDIT_SOCKET?
-debbie
linux-audit-bounces at redhat.com wrote on 05/10/2005 08:47:35 AM:
> On Tuesday 19 April 2005 11:23, Steve Grubb wrote:
> > I wanted to start a discussion about an old topic that we last
discussed
> > back in December. The problem basically centers around the audit
message
> > type being too coarse to be of any real use.
> Attached is my current working patch for people to review and comment on.
It
> is not a final patch. I still need to review all messages to ensure we
have
> everything that its supposed to be. The patch is against the .31 kernel
will
> all my previous patches applied.
> If there are no objections or concerns, I will finalize this patch and
release
> matching user space tools.
> -Steve
> [attachment "linux-2.6.9-audit-types.patch" deleted by Debora
> Velarde/Austin/IBM]
> --
> Linux-audit mailing list
> Linux-audit at redhat.com
> http://www.redhat.com/mailman/listinfo/linux-audit
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/linux-audit/attachments/20050510/9c4c4800/attachment.htm>
More information about the Linux-audit
mailing list