[RFC][PATCH] collect security labels on user processes generating audit messages
Linda Knippers
linda.knippers at hp.com
Wed Feb 15 16:14:12 UTC 2006
> [..]
>
>>>
>>
>>>> > ab = audit_log_start(NULL, GFP_KERNEL, msg_type);
>>>> > if (ab) {
>>>> > audit_log_format(ab,
>>>> > - "user pid=%d uid=%u auid=%u msg='%.1024s'",
>>>> > - pid, uid, loginuid, (char *)data);
>>>> > + "user pid=%d uid=%u auid=%u subj=%s msg='%.1024s'",
>>>> > + pid, uid, loginuid, ctx ? ctx : "null", (char *)data);
>>
>>>
>>> Do you want those "subj=null" items in the output when SELinux is
>>> disabled, or should there be a different audit_log_format call in the !
>>> ctx case that completely omits "subj="?
>>>
>
>
> I remember a while back, Steve wanting to reduce / remove the
> conditional tokens in records (I think the argument had to do with
> performance impact and parsing). Did I remember that correctly Steve?
> Assuming we do want to print the token if ctx == NULL, is there a
> standard way of printing NULL in the record? I should probably make
> sure kernel/auditsc.c:audit_log_task_context() is consistent with
> whatever we decide.
>
Amy submitted a patch a while back to eliminate the "name=" field
to avoid "name=(null)" from the audit records if there was no name
but I don't think the patch went anywhere.
https://www.redhat.com/archives/linux-audit/2005-November/msg00093.html
It looks like there's a new case (for tty) where "(none)" is used.
It would be nice to avoid having this in the audit records, especially
in this case where the value might never be set on a particular system.
-- ljk
More information about the Linux-audit
mailing list