Re: [PATCH] [AUDIT] Fix ANOM_PROMISCUOUS message format
On Thu, 2008-01-10 at 12:41 -0500, Steve Grubb wrote:
On Thursday 10 January 2008 12:25:23 Klaus Heinrich Kiwi wrote:
> Steve, as we talked earlier through IRC, ausearch/aureport are expecting
> the kernel anomalies messages to have auid= uid= gid= fields (in this
> order). This quick patch changes the ANOM_PROMISCUOUS message to the
> correct format (as already used by ANOM_ABEND).
Thanks, would you mind making 2 changes to this? Add a test for audit_enabled
being true before calling audit_log...a long standing oversight. And add a
field at the end "res=1" since this doesn't appear to be able to fail.
I'm
trying to get result fields in all events.
Will do. Would you like something related to disabling this message when
Xen in enabled? Or would you prefer separate patches since those two
things appear to be unrelated?
Klaus
--
Klaus Heinrich Kiwi
Security Development - IBM Linux Technology Center