From mboxrd@z Thu Jan 1 00:00:00 1970 From: Steve Grubb Subject: [PATCH 1/1] audit: Make AUDIT_KERNEL event conform to the specification Date: Thu, 01 Dec 2016 15:02:07 -0500 Message-ID: <35255769.M5mior0TaQ@x2> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Return-path: Received: from x2.localnet (vpn-57-91.rdu2.redhat.com [10.10.57.91]) by int-mx10.intmail.prod.int.phx2.redhat.com (8.14.4/8.14.4) with ESMTP id uB1K27E0018638 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO) for ; Thu, 1 Dec 2016 15:02:08 -0500 List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: linux-audit@redhat.com List-Id: linux-audit@redhat.com The AUDIT_KERNEL event is not following name=value format. This causes some information to get lost. The event has been reformatted to follow the convention. Additionally the audit_enabled value was added for troubleshooting purposes. The following is an example of the new event: type=KERNEL audit(1480621249.833:1): state=initialized audit_enabled=0 res=1 Signed-off-by: sgrubb --- kernel/audit.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/kernel/audit.c b/kernel/audit.c index 910a7c1..91860d4 100644 --- a/kernel/audit.c +++ b/kernel/audit.c @@ -1252,7 +1252,9 @@ static int __init audit_init(void) audit_enabled = audit_default; audit_ever_enabled |= !!audit_default; - audit_log(NULL, GFP_KERNEL, AUDIT_KERNEL, "initialized"); + audit_log(NULL, GFP_KERNEL, AUDIT_KERNEL, + "state=initialized audit_enabled=%u res=1", + audit_enabled); for (i = 0; i < AUDIT_INODE_BUCKETS; i++) INIT_LIST_HEAD(&audit_inode_hash[i]); -- 2.7.4