[PATCH] Fixed reason field in audit signal logging
LC Bruzenak
lenny at magitekltd.com
Thu Nov 7 15:13:48 UTC 2013
On 11/07/2013 09:05 AM, Steve Grubb wrote:
>
> I am confused. This is the abnormal end event I have:
>
> type=ANOM_ABEND msg=audit(1303339663.307:142): auid=4325 uid=0 gid=0 ses=1
> subj=unconfined_u:unconfined_r:unconfined_t:s0 pid=3775 comm="aureport" sig=11
>
> Why / when did we start adding text explanations? We should not do that. We
> didn't have it before and it should not have been added. The signal number is
> enough to identify the problem.
>
> If we did need a reason= field, all these strings with spaces will get
> separated on parsing. They should be like "memory-violation" or "recieved-
> abort". And would it be better to hide this in the audit_log_abend function? I
> honestly don't understand why this was added.
>
> -Steve
Whoops; looks like I jumped the gun. I also have the same results:
node=test1 type=ANOM_ABEND msg=audit(1383674813.174:5025253):
auid=4294967295 uid=0 gid=0 ses=4294967295
subj=system_u:system_r:xserver_t:s0-s15:c0.c1023 pid=5537 comm="X" sig=6
It looked like it would add value at first read.
LCB
--
LC (Lenny) Bruzenak
lenny at magitekltd.com
More information about the Linux-audit
mailing list