[PATCH] audit: fix event coverage of AUDIT_ANOM_LINK
Steve Grubb
sgrubb at redhat.com
Thu Nov 29 15:10:48 UTC 2012
On Wednesday, November 28, 2012 02:57:44 PM Kees Cook wrote:
> The userspace audit tools didn't like the existing formatting of the
> AUDIT_ANOM_LINK event. It needed to be expanded to emit an AUDIT_PATH
> event as well, so this implements the change. The bulk of the patch is
> moving code out of auditsc.c into audit.c and audit.h for general use.
> It expands audit_log_name to include an optional "struct path" argument
> for the simple case of just needing to report a pathname. This also makes
> audit_log_task_info available when syscall auditing is not enabled so
> an admin can make sense of the audit report (which would have only shown
> path information, not process information).
>
> Reported-by: Steve Grubb <sgrubb at redhat.com>
> Signed-off-by: Kees Cook <keescook at chromium.org>
Do you have a sample record I could check?
ausearch --start today -m 1702 --raw --just-one
Thanks,
-Steve
More information about the Linux-audit
mailing list