[PATCH] add uid and comm to OBJ_PID records
Steve Grubb
sgrubb at redhat.com
Mon Dec 10 21:02:43 UTC 2007
On Monday 10 December 2007 15:23:24 Linda Knippers wrote:
> > type=OBJ_PID msg=audit(12/10/2007 15:36:54.328:67) : opid=3018
> > obj=root:system_r:httpd_t:s0-s0:c0.c1023 uid=test comm=loop
>
> Is uid sufficient or do you need auid, gid, euid, suid, fsuid, egid,...
> as well?
I don't think you need fsuid or any of the group credentials for signals. I
also don't think euid matters for receiving signals. auid could be useful.
People were mostly asking what process is this about, pid is generally not
helpful. And they wanted to make sure it was legal for that process to be
getting a signal. So, you need to see the uid.
> The subject has exe as well as comm. Should the obj record
> also have both?
Not 100% sure, but...I don't think we can get at it from the signal path
without holding a lock. We are trying to get what we can without any
complication or performance impact.
-Steve
More information about the Linux-audit
mailing list