Re: netlink ACK handling in audit_set_pid()
On Thursday, November 9, 2023 12:09:15 PM EST Steve Grubb wrote:
Hello,
On Thursday, November 9, 2023 7:32:13 AM EST Chris Riches wrote:
> Hi, has anyone had a chance to look at this yet? It's been over three
> weeks with no response.
I was hoping some other people working on audit would step up.
One idea I have not tested is to make a "command and control" fd that would
be used for enabling the audit system and setting the pid. This would be
separate from the data fd which processes events.
Looks like we lost that ability a couple years ago when missing auditd
detection was added. The fd that sets the pid is the one that gets all the
events even if there is another fd available that belongs to the same pid.
-Steve