[RFC][PATCH] collect security labels on user processes generating audit messages
Linda Knippers
linda.knippers at hp.com
Wed Feb 15 18:18:50 UTC 2006
Steve Grubb wrote:
> On Wednesday 15 February 2006 12:17, Linda Knippers wrote:
>
>>How can I tell from the audit records that the file name was "(null)"
>>vs. having "(null)" manufactured by the audit system?
>
>
> ls -i "(null)"
>
> and then compare inode values.
The inode could be long gone by the time I'm looking at the audit log.
-- ljk
More information about the Linux-audit
mailing list