On 10/06/2014 11:50 PM, William Roberts wrote: > I haven't really spent much time with the audit rule support patched > into auditd. Typically, if I wanted audit system logs, I would patch > the kernel setting some integer to 1. Not really the best, but it > worked. I think the tuna omap kernel was patched with it. > > The result was whenever a denial occurred, I ended up with the whole > syscall trace of that event. Is their a way to enable that behavior > with the audit rules support? > > My understanding is no, since it only has -e and -w support, and we > would need -s, is that correct?
IIRC, we had auditd call audit_set_enabled(audit_fd, 1), which turned on the syscall audit collection, and if you further wanted the pathname collection, you could define a watch on any file and it would start collecting pathnames in general. We dropped auditd from our trees when it became clear that AOSP wanted to handle it via logd instead. But no one has added the audit watch functionality to logd. _______________________________________________ Seandroid-list mailing list Seandroid-list@tycho.nsa.gov To unsubscribe, send email to seandroid-list-le...@tycho.nsa.gov. To get help, send an email containing "help" to seandroid-list-requ...@tycho.nsa.gov.
