5:02 p.m.
As some of us have been experimenting with adding/removing lots of
file system watches, I've noticed that we get one of these messages
in the audit log each time a file system watch is removed, including
during an 'auditctl -D'.
type=CONFIG_CHANGE msg=audit(1131576749.186:1182016): auid=4294967295
removed watch
I'm wondering about the usefulness of this message since it doesn't
identify the watch that's being removed. If we need this message,
shouldn't it identify the watch that's being removed? If we don't need
this message, can we delete it?
-- ljk
5:05 p.m.
On Wednesday 09 November 2005 18:02, Linda Knippers wrote:
I'm wondering about the usefulness of this message since it
doesn't
identify the watch that's being removed.
This denotes that a configuration change has occurred. This is needed.
If we need this message, shouldn't it identify the watch
that's being
removed?
That would be nice. In the new file system audit code, maybe we can add the
file name?
Thanks,
-Steve
5:15 p.m.
I just noticed the message is similarly vague when system call
rules are removed. It just says "removed an audit rule".
-- ljk
Steve Grubb wrote:
On Wednesday 09 November 2005 18:02, Linda Knippers wrote:
>I'm wondering about the usefulness of this message since it doesn't
>identify the watch that's being removed.
This denotes that a configuration change has occurred. This is needed.
>If we need this message, shouldn't it identify the watch that's being
>removed?
That would be nice. In the new file system audit code, maybe we can add the
file name?
Thanks,
-Steve
--
Linux-audit mailing list
Linux-audit(a)redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit
6:01 p.m.
On Wednesday 09 November 2005 18:15, Linda Knippers wrote:
I just noticed the message is similarly vague when system call
rules are removed. It just says "removed an audit rule".
So, who wants to update this? I agree that we could at least put the list name
& syscall number(s) into it or "all" if that applies. There's no way the
kernel should do the whole thing since that duplicates userspace. Just the
syscall & list name would be enough to guess the rule in most cases.
-Steve
6:14 p.m.
For some reason I was thinking that there was more information in the
audit log when a rule or watch was added but there isn't. Since all
the information is known at the point where the current audit records
are generated (I think that's the case), couldn't we just include more
information in the record? I don't see the userspace connection here
but I could be missing something.
-- ljk
Steve Grubb wrote:
On Wednesday 09 November 2005 18:15, Linda Knippers wrote:
>I just noticed the message is similarly vague when system call
>rules are removed. It just says "removed an audit rule".
So, who wants to update this? I agree that we could at least put the list name
& syscall number(s) into it or "all" if that applies. There's no way
the
kernel should do the whole thing since that duplicates userspace. Just the
syscall & list name would be enough to guess the rule in most cases.
-Steve
--
Linux-audit mailing list
Linux-audit(a)redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit
5:17 a.m.
On Wednesday 09 November 2005 19:14, Linda Knippers wrote:
Since all the information is known at the point where the current
audit
records are generated (I think that's the case), couldn't we just include
more information in the record?
Yes, but not much.
I don't see the userspace connection here but I could be missing
something.
"auditctl -l" does a full formatting of each rule. What I was referring to is
that to get the rule in the logs exactly as sent would duplicate that
functionality.
For syscalls, about all you can put is list number & syscall number(s). For
watches, path and key. Going beyond that will be a lot of formatting that
adds bloat. You can take a look at the code that does "auditctl -l"
formatting to see what it takes.
So, who's gonna do it?
-Steve
2:38 p.m.
On Thu, 2005-11-10 at 06:17 -0500, Steve Grubb wrote:
For syscalls, about all you can put is list number & syscall
number(s). For
watches, path and key. Going beyond that will be a lot of formatting that
adds bloat. You can take a look at the code that does "auditctl -l"
formatting to see what it takes.
Surely you can just re-use that same code for generating the messages?
--
dwmw2
6981
days inactive
6983
days old
linux-audit@lists.linux-audit.osci.io
6 comments
3 participants
participants (3)
-
David Woodhouse -
Linda Knippers -
Steve Grubb