Dispatching of events
Steve
m6x at ornl.gov
Wed Jun 14 12:41:45 UTC 2006
I have been testing the dispatch system by having auditd monitor when a
certain file is opened, I have always seen 3 messages per open event (a
1300, 1307, followed by a 1302). I would assume other syscall rule
violations may trigger fewer or more messages.
So, is there a way to tell when all messages for a particular event have
been dispatched? I am combining information from each of an event's
messages to create an entry in a queue (containing event structures that
I created). I am trying to determine when I can process the combined
event information (when there are no more messages) so it can be removed
from the queue.
Also, is it safe to assume a type 1300 message is always the first
message pertaining to a rule violation?
Thanks,
Steve
More information about the Linux-audit
mailing list