From mboxrd@z Thu Jan  1 00:00:00 1970
From: Matthew Booth <mbooth@redhat.com>
Subject: Re: Which userspace packages modified for audit
Date: Sun, 25 Feb 2007 22:35:08 +0000
Message-ID: <1172442908.1541.6.camel@localhost.localdomain>
References: <20070222230340.GA7527@suse.de>
	<200702251341.38443.sgrubb@redhat.com>
	<1172441723.4925.8.camel@localhost.localdomain>
	<200702251730.40357.sgrubb@redhat.com>
Mime-Version: 1.0
Content-Type: multipart/mixed; boundary="===============1598247790=="
Return-path: <linux-audit-bounces@redhat.com>
In-Reply-To: <200702251730.40357.sgrubb@redhat.com>
List-Unsubscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/linux-audit>
List-Post: <mailto:linux-audit@redhat.com>
List-Help: <mailto:linux-audit-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=subscribe>
Sender: linux-audit-bounces@redhat.com
Errors-To: linux-audit-bounces@redhat.com
To: Steve Grubb <sgrubb@redhat.com>
Cc: linux-audit@redhat.com
List-Id: linux-audit@redhat.com


--===============1598247790==
Content-Type: multipart/signed; micalg=pgp-sha1;
	protocol="application/pgp-signature";
	boundary="=-A/avZiW1OVW3znCVQscr"


--=-A/avZiW1OVW3znCVQscr
Content-Type: text/plain
Content-Transfer-Encoding: quoted-printable

On Sun, 2007-02-25 at 17:30 -0500, Steve Grubb wrote:
> On Sunday 25 February 2007 17:15:23 Matthew Booth wrote:
> > On a related note, what's the api for injecting an arbitrary audit even=
t
> > from userspace in 1.0.15?=20
>=20
> audit_log_user_message().
>=20
> > There doesn't appear to be anything obvious in the man pages.
>=20
> There are several APIs to enforce consistent messages depending on the=20
> purpose. They all start with audit_log_ .

That's a lot of choices. I specifically want to log a message in my
ausetauid utility containing the fully command line executed under a
different auid. To make sure it turns up in searches, I want it to have
the same audit event ID as the LOGIN message it generates. Is this
achievable, and which function should I read the source for ;) ?

Thanks,

Matt
--=20
Red Hat, Global Professional Services

M:       +44 (0)7977 267231
GPG ID:  D33C3490
GPG FPR: 3733 612D 2D05 5458 8A8A 1600 3441 EA19 D33C 3490

--=-A/avZiW1OVW3znCVQscr
Content-Type: application/pgp-signature; name=signature.asc
Content-Description: This is a digitally signed message part

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)

iD8DBQBF4g8cNEHqGdM8NJARAkGzAKCHGcl7S0jLv/xrcglDg/N8IA8HJwCfQQlg
9bZD+oUV/2QDgHyZ9P77p38=
=O+ot
-----END PGP SIGNATURE-----

--=-A/avZiW1OVW3znCVQscr--


--===============1598247790==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline


--===============1598247790==--