From mboxrd@z Thu Jan 1 00:00:00 1970 From: Klaus Heinrich Kiwi Subject: Re: [PATCH] [AUDIT] Fix ANOM_PROMISCUOUS message format Date: Thu, 10 Jan 2008 15:58:13 -0200 Message-ID: <1199987893.7836.66.camel@klausk.br.ibm.com> References: <1199985923.7836.63.camel@klausk.br.ibm.com> <200801101241.00467.sgrubb@redhat.com> Mime-Version: 1.0 Content-Type: text/plain Content-Transfer-Encoding: 7bit Return-path: In-Reply-To: <200801101241.00467.sgrubb@redhat.com> List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: Steve Grubb Cc: "Linux-audit@redhat.com" List-Id: linux-audit@redhat.com On Thu, 2008-01-10 at 12:41 -0500, Steve Grubb wrote: > On Thursday 10 January 2008 12:25:23 Klaus Heinrich Kiwi wrote: > > Steve, as we talked earlier through IRC, ausearch/aureport are expecting > > the kernel anomalies messages to have auid= uid= gid= fields (in this > > order). This quick patch changes the ANOM_PROMISCUOUS message to the > > correct format (as already used by ANOM_ABEND). > > Thanks, would you mind making 2 changes to this? Add a test for audit_enabled > being true before calling audit_log...a long standing oversight. And add a > field at the end "res=1" since this doesn't appear to be able to fail. I'm > trying to get result fields in all events. > Will do. Would you like something related to disabling this message when Xen in enabled? Or would you prefer separate patches since those two things appear to be unrelated? Klaus -- Klaus Heinrich Kiwi Security Development - IBM Linux Technology Center