From mboxrd@z Thu Jan  1 00:00:00 1970
From: LC Bruzenak <lenny@magitekltd.com>
Subject: Re: [PATCH] Fixed reason field in audit signal logging
Date: Thu, 07 Nov 2013 09:13:48 -0600
Message-ID: <527BAE2C.90505@magitekltd.com>
References: <20131107133932.GA10317@pauldc-Inspiron-1470>	<1383835404.2938.38.camel@localhost>
	<1584071.15NUDX4DRn@x2>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Return-path: <linux-audit-bounces@redhat.com>
Received: from mx1.redhat.com (ext-mx11.extmail.prod.ext.phx2.redhat.com
	[10.5.110.16])
	by int-mx01.intmail.prod.int.phx2.redhat.com (8.13.8/8.13.8) with ESMTP
	id rA7FDrOZ020697
	for <linux-audit@redhat.com>; Thu, 7 Nov 2013 10:13:53 -0500
Received: from mail-oa0-f41.google.com (mail-oa0-f41.google.com
	[209.85.219.41])
	by mx1.redhat.com (8.14.4/8.14.4) with ESMTP id rA7FDoku005482
	for <linux-audit@redhat.com>; Thu, 7 Nov 2013 10:13:50 -0500
Received: by mail-oa0-f41.google.com with SMTP id m1so1069517oag.14
	for <linux-audit@redhat.com>; Thu, 07 Nov 2013 07:13:49 -0800 (PST)
Received: from [192.168.31.11] (108-252-2-157.lightspeed.austtx.sbcglobal.net.
	[108.252.2.157])
	by mx.google.com with ESMTPSA id j9sm4273380oef.8.2013.11.07.07.13.49
	for <linux-audit@redhat.com>
	(version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128);
	Thu, 07 Nov 2013 07:13:49 -0800 (PST)
In-Reply-To: <1584071.15NUDX4DRn@x2>
List-Unsubscribe: <https://www.redhat.com/mailman/options/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/linux-audit>
List-Post: <mailto:linux-audit@redhat.com>
List-Help: <mailto:linux-audit-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=subscribe>
Sender: linux-audit-bounces@redhat.com
Errors-To: linux-audit-bounces@redhat.com
To: linux-audit@redhat.com
List-Id: linux-audit@redhat.com

On 11/07/2013 09:05 AM, Steve Grubb wrote:
>
> I am confused. This is the abnormal end event I have:
>
> type=ANOM_ABEND msg=audit(1303339663.307:142): auid=4325 uid=0 gid=0 ses=1 
> subj=unconfined_u:unconfined_r:unconfined_t:s0 pid=3775 comm="aureport" sig=11
>
> Why / when did we start adding text explanations? We should not do that. We 
> didn't have it before and it should not have been added. The signal number is 
> enough to identify the problem.
>
> If we did need a reason= field, all these strings with spaces will get 
> separated on parsing. They should be like "memory-violation" or "recieved-
> abort". And would it be better to hide this in the audit_log_abend function? I 
> honestly don't understand why this was added.
>
> -Steve

Whoops; looks like I jumped the gun. I also have the same results:
node=test1 type=ANOM_ABEND msg=audit(1383674813.174:5025253):
auid=4294967295 uid=0 gid=0 ses=4294967295
subj=system_u:system_r:xserver_t:s0-s15:c0.c1023 pid=5537 comm="X" sig=6

It looked like it would add value at first read.

LCB

-- 
LC (Lenny) Bruzenak
lenny@magitekltd.com