On 05/30/2014 02:00 PM, Steve Grubb wrote: > This is a big mistake, IMHO. In theory, this is what should have happened: > An access decisionl event should have been named in the 1500 block. It would > then be free to include the field it needs in the order it needs. The > ausearch > would get a function parse_aa_decision. That function would stuff a struct > specially tuned for AA usage. Aureport would gain a new report.
The very original AA submission logged everything from the kernel using AUDIT_AA which was defined in the submission as: +#define AUDIT_AA 1500 /* AppArmor audit */ I'm not sure when the change was made to call common_lsm_audit() which logs as AUDIT_AVC. I agree with Steve, doesn't seem a good idea. tony -- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
