Re: [RFC][PATCH] collect security labels on user processes generating audit messages

Wednesday, 15 February 2006

On Wed, 2006-02-15 at 13:18 -0500, Linda Knippers wrote:
...
 Steve Grubb wrote:
 > On Wednesday 15 February 2006 12:17, Linda Knippers wrote:
 > 
 >>How can I tell from the audit records that the file name was "(null)"
 >>vs. having "(null)" manufactured by the audit system?
 > 
 > 
 > ls -i "(null)"
 > 
 > and then compare inode values.

 The inode could be long gone by the time I'm looking at the audit log.

 -- ljk

A clumsy way of doing it would be to encode the file name "(null)" in
hex.  If it shows up at "(null)" in the log, then we know we meant NULL.

-tim

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

2004

Re: [RFC][PATCH] collect security labels on user processes generating audit messages