* [RFC] include audit type in audit message when using printk
@ 2007-09-01 19:22 John Johansen
0 siblings, 0 replies; only message in thread
From: John Johansen @ 2007-09-01 19:22 UTC (permalink / raw)
To: linux-audit
[-- Attachment #1.1: Type: text/plain, Size: 984 bytes --]
Currently audit drops the audit type when an audit message goes through
printk instead of the audit deamon. This is a minor annoyance in
that the audit type is no longer part of the message and the information
the audit type conveys needs to be carried in, or derived from the
message data.
The attached patch includes the type number as part of the printk.
Admittedly it isn't the type name that the audit deamon provides but I
think this is better than dropping the type completely.
---
kernel/audit.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
--- a/kernel/audit.c
+++ b/kernel/audit.c
@@ -1354,7 +1354,8 @@ void audit_log_end(struct audit_buffer *
ab->skb = NULL;
wake_up_interruptible(&kauditd_wait);
} else {
- printk(KERN_NOTICE "%s\n", ab->skb->data + NLMSG_SPACE(0));
+ struct nlmsghdr *nlh = nlmsg_hdr(ab->skb);
+ printk(KERN_NOTICE "type=%d %s\n", nlh->nlmsg_type, ab->skb->data + NLMSG_SPACE(0));
}
}
audit_buffer_free(ab);
[-- Attachment #1.2: Type: application/pgp-signature, Size: 189 bytes --]
[-- Attachment #2: Type: text/plain, Size: 0 bytes --]
^ permalink raw reply [flat|nested] only message in thread
only message in thread, other threads:[~2007-09-01 19:24 UTC | newest]
Thread overview: (only message) (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2007-09-01 19:22 [RFC] include audit type in audit message when using printk John Johansen
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox