[PATCH] [AUDIT] Fix ANOM_PROMISCUOUS message format
Klaus Heinrich Kiwi
klausk at linux.vnet.ibm.com
Thu Jan 10 17:58:13 UTC 2008
On Thu, 2008-01-10 at 12:41 -0500, Steve Grubb wrote:
> On Thursday 10 January 2008 12:25:23 Klaus Heinrich Kiwi wrote:
> > Steve, as we talked earlier through IRC, ausearch/aureport are expecting
> > the kernel anomalies messages to have auid= uid= gid= fields (in this
> > order). This quick patch changes the ANOM_PROMISCUOUS message to the
> > correct format (as already used by ANOM_ABEND).
>
> Thanks, would you mind making 2 changes to this? Add a test for audit_enabled
> being true before calling audit_log...a long standing oversight. And add a
> field at the end "res=1" since this doesn't appear to be able to fail. I'm
> trying to get result fields in all events.
>
Will do. Would you like something related to disabling this message when
Xen in enabled? Or would you prefer separate patches since those two
things appear to be unrelated?
Klaus
--
Klaus Heinrich Kiwi
Security Development - IBM Linux Technology Center
More information about the Linux-audit
mailing list