[PATCH] Fixed reason field in audit signal logging
Steve Grubb
sgrubb at redhat.com
Thu Nov 7 18:07:54 UTC 2013
On Thursday, November 07, 2013 11:11:09 AM Steve Grubb wrote:
> On Thursday, November 07, 2013 10:42:21 AM Eric Paris wrote:
> > > I am confused. This is the abnormal end event I have:
> > >
> > >
> > > type=ANOM_ABEND msg=audit(1303339663.307:142): auid=4325 uid=0 gid=0
> > > ses=1
> > > subj=unconfined_u:unconfined_r:unconfined_t:s0 pid=3775 comm="aureport"
> > > sig=11>
> > >
> > >
> > > Why / when did we start adding text explanations? We should not do that.
> > > We didn't have it before and it should not have been added. The signal
> > > number is enough to identify the problem.
> >
> > We started adding a reason when seccomp started sending ANOM_ABEND
> > events as well. It doesn't do so with a signal. Agreed, the " " is/was
> > a bad idea...
>
> Does seccomp still send these? I see there is an AUDIT_SECCOMP event being
> sent by __audit_seccomp(). Does seccomp do anything with ABEND at this
> point?
As far as I can see via grepping around, seccomp does not call
audit_log_abend(). As a matter of fact, only audit_core_dumps() does. meaning
there is no reason for audit_log_abend anymore. Its code can be pushed back
into audit_core_dumps() and the reason= can be removed entirely.
-Steve
More information about the Linux-audit
mailing list