Which userspace packages modified for audit
Steve Grubb
sgrubb at redhat.com
Sun Feb 25 23:07:34 UTC 2007
On Sunday 25 February 2007 17:35:08 Matthew Booth wrote:
>> There are several APIs to enforce consistent messages depending on the
>> purpose. They all start with audit_log_ .
>
> That's a lot of choices. I specifically want to log a message in my
> ausetauid utility containing the fully command line executed under a
> different auid.
You would need to build your message in a buffer and pass it to
audit_log_user_message() as the message param since an API has not been built
for the purpose you described in 1.0.15. You will also want to follow naming
conventions laid out in the parsing spec.
> To make sure it turns up in searches, I want it to have the same audit event
> ID as the LOGIN message it generates.
No can do.
> Is this achievable, and which function should I read the source for ;) ?
Nope. Setting the loginuid is a discrete event seen from the kernel's
perspective.
-Steve
More information about the Linux-audit
mailing list