From mboxrd@z Thu Jan  1 00:00:00 1970
From: Steve Grubb <sgrubb@redhat.com>
Subject: Re: [PATCH] Fixed reason field in audit signal logging
Date: Thu, 07 Nov 2013 11:11:09 -0500
Message-ID: <3543583.YTj3YxNvnl@x2>
References: <20131107133932.GA10317@pauldc-Inspiron-1470>
	<1584071.15NUDX4DRn@x2> <1383838941.2938.40.camel@localhost>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Return-path: <linux-audit-bounces@redhat.com>
In-Reply-To: <1383838941.2938.40.camel@localhost>
List-Unsubscribe: <https://www.redhat.com/mailman/options/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/linux-audit>
List-Post: <mailto:linux-audit@redhat.com>
List-Help: <mailto:linux-audit-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=subscribe>
Sender: linux-audit-bounces@redhat.com
Errors-To: linux-audit-bounces@redhat.com
To: Eric Paris <eparis@redhat.com>
Cc: linux-audit@redhat.com, viro@zeniv.linux.org.uk
List-Id: linux-audit@redhat.com

On Thursday, November 07, 2013 10:42:21 AM Eric Paris wrote:
> > I am confused. This is the abnormal end event I have:
> > 
> >
> > type=ANOM_ABEND msg=audit(1303339663.307:142): auid=4325 uid=0 gid=0
> > ses=1 
> > subj=unconfined_u:unconfined_r:unconfined_t:s0 pid=3775 comm="aureport"
> > sig=11>
> > 
> >
> > Why / when did we start adding text explanations? We should not do that.
> > We  didn't have it before and it should not have been added. The signal
> > number is enough to identify the problem.
> 
> We started adding a reason when seccomp started sending ANOM_ABEND
> events as well.  It doesn't do so with a signal.  Agreed, the " " is/was
> a bad idea...

Does seccomp still send these? I see there is an AUDIT_SECCOMP event being 
sent by __audit_seccomp(). Does seccomp do anything with ABEND at this point?

-Steve