[PATCH] userspace: audit: ausearch doesn't return entries for AppArmor events that exist in the log
Tony Jones
tonyj at suse.de
Sat May 31 00:01:39 UTC 2014
On 05/30/2014 02:00 PM, Steve Grubb wrote:
> This is a big mistake, IMHO. In theory, this is what should have happened:
> An access decisionl event should have been named in the 1500 block. It would
> then be free to include the field it needs in the order it needs. The ausearch
> would get a function parse_aa_decision. That function would stuff a struct
> specially tuned for AA usage. Aureport would gain a new report.
The very original AA submission logged everything from the kernel using AUDIT_AA which was defined in the submission as:
+#define AUDIT_AA 1500 /* AppArmor audit */
I'm not sure when the change was made to call common_lsm_audit() which logs as AUDIT_AVC. I agree with Steve, doesn't seem a good idea.
tony
More information about the Linux-audit
mailing list