Re: audit message types
+define AUDIT_SYSCALL 1300 /* Syscall event */
+define AUDIT_IPC 1303 /* IPC record */
Does this mean that on X86_64 a record for semget shows up as a record of
type AUDIT_SYSCALL, but on all platforms, it comes out as AUDIT_IPC record?
Also true for other syscalls including: msgctl, msgget, msgrecv, msgsend,
semctl, semop, semtimedop, shmat, shmctl, shmdt, shmget.
+define AUDIT_SOCKET 1304 /* Socket record */
Would this make the bind syscall generate records of type AUDIT_SOCKET?
-debbie
linux-audit-bounces(a)redhat.com wrote on 05/10/2005 08:47:35 AM:
On Tuesday 19 April 2005 11:23, Steve Grubb wrote:
> I wanted to start a discussion about an old topic that we last
discussed
> back in December. The problem basically centers around the audit
message
> type being too coarse to be of any real use.
Attached is my current working patch for people to review and comment
on.
It
is not a final patch. I still need to review all messages to ensure
we
have
everything that its supposed to be. The patch is against the .31
kernel
will
all my previous patches applied.
If there are no objections or concerns, I will finalize this patch
and
release
matching user space tools.
-Steve
[attachment "linux-2.6.9-audit-types.patch" deleted by Debora
Velarde/Austin/IBM]
--
Linux-audit mailing list
Linux-audit(a)redhat.com
http://www.redhat.com/mailman/listinfo/linux-audit
Attachments:
- attachment.html (text/html — 1.7 KB)