audit-viewer "comm" question
Steve Grubb
sgrubb at redhat.com
Mon Aug 4 23:11:53 UTC 2008
On Monday 04 August 2008 18:49:42 LC Bruzenak wrote:
> After reading Steve's info about the "comm" field being clipped at 16
> chars, I was surprised to see a longer string inside the audit-viewer
> "comm" field.
If the event below is where it came from, then it originated in user space and
is not subject to the 16 byte kernel limitation.
> The same event in ausearch shows a NULL "comm" field, but the rest of
> the info lines up with the GUI:
The user space AVCs are FUBAR and I told the SE Linux people that they are not
following the audit logging convention. They need to fix the code in
libselinux.
-Steve
More information about the Linux-audit
mailing list