[RFC][PATCH] collect security labels on user processes generating audit messages
Timothy R. Chavez
tinytim at us.ibm.com
Wed Feb 15 18:38:04 UTC 2006
On Wed, 2006-02-15 at 13:18 -0500, Linda Knippers wrote:
> Steve Grubb wrote:
> > On Wednesday 15 February 2006 12:17, Linda Knippers wrote:
> >
> >>How can I tell from the audit records that the file name was "(null)"
> >>vs. having "(null)" manufactured by the audit system?
> >
> >
> > ls -i "(null)"
> >
> > and then compare inode values.
>
> The inode could be long gone by the time I'm looking at the audit log.
>
> -- ljk
>
>
A clumsy way of doing it would be to encode the file name "(null)" in
hex. If it shows up at "(null)" in the log, then we know we meant NULL.
-tim
More information about the Linux-audit
mailing list