From mboxrd@z Thu Jan 1 00:00:00 1970 From: Steve Grubb Subject: Re: Which userspace packages modified for audit Date: Sun, 25 Feb 2007 18:07:34 -0500 Message-ID: <200702251807.34900.sgrubb@redhat.com> References: <20070222230340.GA7527@suse.de> <200702251730.40357.sgrubb@redhat.com> <1172442908.1541.6.camel@localhost.localdomain> Mime-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 7bit Return-path: In-Reply-To: <1172442908.1541.6.camel@localhost.localdomain> Content-Disposition: inline List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: Matthew Booth Cc: linux-audit@redhat.com List-Id: linux-audit@redhat.com On Sunday 25 February 2007 17:35:08 Matthew Booth wrote: >> There are several APIs to enforce consistent messages depending on the >> purpose. They all start with audit_log_ . > > That's a lot of choices. I specifically want to log a message in my > ausetauid utility containing the fully command line executed under a > different auid. You would need to build your message in a buffer and pass it to audit_log_user_message() as the message param since an API has not been built for the purpose you described in 1.0.15. You will also want to follow naming conventions laid out in the parsing spec. > To make sure it turns up in searches, I want it to have the same audit event > ID as the LOGIN message it generates. No can do. > Is this achievable, and which function should I read the source for ;) ? Nope. Setting the loginuid is a discrete event seen from the kernel's perspective. -Steve