Currently audit drops the audit type when an audit message goes through
printk instead of the audit deamon. This is a minor annoyance in
that the audit type is no longer part of the message and the information
the audit type conveys needs to be carried in, or derived from the
message data.
The attached patch includes the type number as part of the printk.
Admittedly it isn't the type name that the audit deamon provides but I
think this is better than dropping the type completely.
---
kernel/audit.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
--- a/kernel/audit.c
+++ b/kernel/audit.c
@@ -1354,7 +1354,8 @@ void audit_log_end(struct audit_buffer *
ab->skb = NULL;
wake_up_interruptible(&kauditd_wait);
} else {
- printk(KERN_NOTICE "%s\n", ab->skb->data + NLMSG_SPACE(0));
+ struct nlmsghdr *nlh = nlmsg_hdr(ab->skb);
+ printk(KERN_NOTICE "type=%d %s\n", nlh->nlmsg_type, ab->skb->data +
NLMSG_SPACE(0));
}
}
audit_buffer_free(ab);