+define AUDIT_SYSCALL 1300 /* Syscall event */
+define AUDIT_IPC 1303 /* IPC record */

Does this mean that on X86_64 a record for semget shows up as a record of type AUDIT_SYSCALL, but on all platforms, it comes out as AUDIT_IPC record?
Also true for other syscalls including: msgctl, msgget, msgrecv, msgsend, semctl, semop, semtimedop, shmat, shmctl, shmdt, shmget.


+define AUDIT_SOCKET 1304 /* Socket record */
Would this make the bind syscall generate records of type AUDIT_SOCKET?

-debbie

linux-audit-bounces@redhat.com wrote on 05/10/2005 08:47:35 AM:

> On Tuesday 19 April 2005 11:23, Steve Grubb wrote:
> > I wanted to start a discussion about an old topic that we last discussed
> > back in December. The problem basically centers around the audit message
> > type being too coarse to be of any real use.

> Attached is my current working patch for people to review and comment on. It
> is not a final patch. I still need to review all messages to ensure we have
> everything that its supposed to be. The patch is against the .31 kernel will
> all my previous patches applied.

> If there are no objections or concerns, I will finalize this patch and release
> matching user space tools.

> -Steve
> [attachment "linux-2.6.9-audit-types.patch" deleted by Debora
> Velarde/Austin/IBM]
> --
> Linux-audit mailing list
> Linux-audit@redhat.com
> http://www.redhat.com/mailman/listinfo/linux-audit