[PATCH] Fix acct quoting in audit_log_acct_message())
Steve Grubb
sgrubb at redhat.com
Tue Mar 4 21:38:03 UTC 2008
On Tuesday 04 March 2008 16:21:01 John Dennis wrote:
> These are the encoded audit strings in kernel 2.6.24 (Fedora):
Reorganized:
Field 24 18 auparse
a[0-9]+ X
acct X
cmd X
comm X X X
cwd X X X
data X
dir X X
exe X X X
file X
key X X X
msg X
name X X X
new X X
old X X
path X X X
watch X
Of these, A0-4 is probably from the execve patch. I have no idea what the
status of this patch is and if its upstream. I've not seen the records so
this would be something very new.
acct & cmd is a userspace thing
data, I need to go hunt this down. I don't like the name so it will probably
need to change in the kernel
msg, name collision it has to change wherever it is in the kernel
new, old, these sound like bugs. They need to get fixed in the kernel
file & watch are probably legacy from RHEL4 I think. It can probably be
deleted.
-Steve
More information about the Linux-audit
mailing list