Re: audit 0.9.12 released
On Thu, 2005-06-23 at 15:16 -0400, Steve Grubb wrote:
However...I looked at the user filtering and it is not working. I
think I know
why. netlink is an async interface. This means that the task may not be alive
when the user message is processed. It currently detects the and returns
-ESRCH, but the sender is long gone.
The sender isn't long gone; if it has disappeared without waiting for
the ack (as libaudit does) then the -ESRCH will mean that the message
isn't logged.
If you send a message and disappear without waiting for the ack, then
your message may or may not get logged. If it _is_ logged, then it'll be
logged with the correct credentials.
I think it's OK to declare that sending a message without waiting for
the ack is not guaranteed to work.
I'm more interested in finding the real reason why it didn't work. Were
you setting the syscall bitmask to all ones in auditctl?
--
dwmw2