Re: Format of audit logs

Linux-audit Archive on lore.kernel.org
 help / color / mirror / Atom feed

From: Steve Grubb <sgrubb@redhat.com>
To: Matthew Booth <mbooth@redhat.com>
Cc: linux-audit@redhat.com
Subject: Re: Format of audit logs
Date: Sun, 13 May 2007 14:38:39 -0400	[thread overview]
Message-ID: <200705131438.39227.sgrubb@redhat.com> (raw)
In-Reply-To: <1179080274.4251.19.camel@localhost.localdomain>

On Sunday 13 May 2007 14:17:54 Matthew Booth wrote:
> On Sun, 2007-05-13 at 12:47 -0400, Steve Grubb wrote:
> > On Tuesday 08 May 2007 14:02:06 Matthew Booth wrote:
> > > Can anybody point me to a document which describes the format of logs
> > > generated by auditd in RHEL 4.
> >
> > I have not created such a document. I don't know if anyone else has
> > either. I plan to start creating a bunch of documentation for the audit
> > system this summer.
>
> Ok. In the mean time, can you fill me in on exactly how a PATH record is
> added to an event?

If the syscall is of interest and a context has been created, as the syscall 
is handled it passes certain checkpoints where we gather information as an 
auxiliary record.

> For example, on execve(), why would I get a PATH record for both the binary
> being executed and the ld library? The latter didn't have a name, just an
> inode.

The code passed through one of the hooks? That was probably talked about on 
this mail list maybe 2 years ago. I seem to recall something about it.

In essence, as soon as a syscall becomes of interest, all hooks add aux 
records to describe different aspects of what happened during the syscall. If 
the ld library is in the syscall record, it was used by the kernel during the 
execve syscall.

-Steve

     prev parent reply	other threads:[~2007-05-13 18:38 UTC|newest]

Thread overview: 4+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2007-05-08 18:02 Format of audit logs Matthew Booth
2007-05-13 16:47 ` Steve Grubb
2007-05-13 18:17   ` Matthew Booth
2007-05-13 18:38     ` Steve Grubb [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=200705131438.39227.sgrubb@redhat.com \
    --to=sgrubb@redhat.com \
    --cc=linux-audit@redhat.com \
    --cc=mbooth@redhat.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox