AUDIT_TTY records were logged as seperate events from their syscall records. Join them so they are logged as the single event that they are. Please see the github issue https://github.com/linux-audit/audit-kernel/issues/106 Signed-off-by: Richard Guy Briggs <rgb(a)redhat.com&gt; --- Tested with ausearch-test-0.6 and audit-testsuite, manually inspected for record association. drivers/tty/tty_audit.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/tty/tty_audit.c b/drivers/tty/tty_audit.c index 28f87fd6a28e..9f906a5b8e81 100644 --- a/drivers/tty/tty_audit.c +++ b/drivers/tty/tty_audit.c @@ -66,7 +66,7 @@ static void tty_audit_log(const char *description, dev_t dev, uid_t loginuid = from_kuid(&init_user_ns, audit_get_loginuid(current)); unsigned int sessionid = audit_get_sessionid(current); - ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_TTY); + ab = audit_log_start(audit_context(), GFP_KERNEL, AUDIT_TTY); if (ab) { char name[sizeof(current->comm)]; -- 1.8.3.1