From mboxrd@z Thu Jan  1 00:00:00 1970
From: Steve Grubb <sgrubb@redhat.com>
Subject: Re: [PATCH] [AUDIT] Fix ANOM_PROMISCUOUS message format
Date: Thu, 10 Jan 2008 13:22:39 -0500
Message-ID: <200801101322.39958.sgrubb@redhat.com>
References: <1199985923.7836.63.camel@klausk.br.ibm.com>
	<200801101241.00467.sgrubb@redhat.com>
	<1199987893.7836.66.camel@klausk.br.ibm.com>
Mime-Version: 1.0
Content-Type: text/plain;
  charset="utf-8"
Content-Transfer-Encoding: 7bit
Return-path: <linux-audit-bounces@redhat.com>
In-Reply-To: <1199987893.7836.66.camel@klausk.br.ibm.com>
Content-Disposition: inline
List-Unsubscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/linux-audit>
List-Post: <mailto:linux-audit@redhat.com>
List-Help: <mailto:linux-audit-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=subscribe>
Sender: linux-audit-bounces@redhat.com
Errors-To: linux-audit-bounces@redhat.com
To: Klaus Heinrich Kiwi <klausk@linux.vnet.ibm.com>
Cc: "Linux-audit@redhat.com" <Linux-audit@redhat.com>
List-Id: linux-audit@redhat.com

On Thursday 10 January 2008 12:58:13 Klaus Heinrich Kiwi wrote:
> On Thu, 2008-01-10 at 12:41 -0500, Steve Grubb wrote:
> > On Thursday 10 January 2008 12:25:23 Klaus Heinrich Kiwi wrote:
> > > Steve, as we talked earlier through IRC, ausearch/aureport are
> > > expecting the kernel anomalies messages to have auid= uid= gid= fields
> > > (in this order). This quick patch changes the ANOM_PROMISCUOUS message
> > > to the correct format (as already used by ANOM_ABEND).
> >
> > Thanks, would you mind making 2 changes to this? Add a test for
> > audit_enabled being true before calling audit_log...a long standing
> > oversight. And add a field at the end "res=1" since this doesn't appear
> > to be able to fail. I'm trying to get result fields in all events.
>
> Will do. Would you like something related to disabling this message when
> Xen in enabled?

Let's do that another time. Xen needs a lot of audit work in general.

-Steve