Re: possible "comm"
On Thursday 31 July 2008 17:01:22 LC Bruzenak wrote:
While looking through some audit events in the audit-viewer I saw
what I
thought might be a display error (see below "comm="), however when I
look at the event using ausearch I see the same thing:
# ausearch -ts recent -i -a 50457
----
type=SOCKADDR msg=audit(07/31/2008 15:37:43.602:50457) : saddr=inet
host:127.0.0.1 serv:16001
type=SYSCALL msg=audit(07/31/2008 15:37:43.602:50457) : arch=x86_64
syscall=connect success=no exit=-111(Connection refused) a0=10
a1=2f96d30 a2=10 a3=7fff13ee75dc items=0 ppid=22794 pid=23014 auid=root
uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root
fsgid=root tty=pts3 ses=818 comm=/usr/share/audi exe=/usr/bin/python
subj=root:auditadm_r:auditadm_t:s15:c0.c1023 key=(null)
type=AVC msg=audit(07/31/2008 15:37:43.602:50457) : avc: denied
{ recvfrom } for pid=23014 comm=/usr/share/audi
You are referring to comm ^^ ?
http://lxr.linux.no/linux/include/linux/sched.h#L201
The define is 16 characters long. This is to give you a hint about what it is
that the interpreter might be executing. When its full path, you only get the
first 16 chars, when someone just uses the command name and lets the shell
find it, its more likely what you wanted.
comm is not 100% trustworthy but it helps you figure out what was being
interpreted. My guess would be audit-viewer in this case.
-Steve