It just dawned on me, isn't their another config to enable audit syscall in the kernel? CONFIG_AUDITSYSCALL Perhaps this is why I didn't see the messages....
I don't think my initial implementation set it to one, and josh's changes to the readme include -e, so I'm assuming he added it. I'll have to check to be certain. On Oct 7, 2014 7:35 AM, "Stephen Smalley" <s...@tycho.nsa.gov> wrote: > On 10/06/2014 11:50 PM, William Roberts wrote: > > I haven't really spent much time with the audit rule support patched > > into auditd. Typically, if I wanted audit system logs, I would patch > > the kernel setting some integer to 1. Not really the best, but it > > worked. I think the tuna omap kernel was patched with it. > > > > The result was whenever a denial occurred, I ended up with the whole > > syscall trace of that event. Is their a way to enable that behavior > > with the audit rules support? > > > > My understanding is no, since it only has -e and -w support, and we > > would need -s, is that correct? > > IIRC, we had auditd call audit_set_enabled(audit_fd, 1), which turned on > the syscall audit collection, and if you further wanted the pathname > collection, you could define a watch on any file and it would start > collecting pathnames in general. > > We dropped auditd from our trees when it became clear that AOSP wanted > to handle it via logd instead. But no one has added the audit watch > functionality to logd. > >
_______________________________________________ Seandroid-list mailing list Seandroid-list@tycho.nsa.gov To unsubscribe, send email to seandroid-list-le...@tycho.nsa.gov. To get help, send an email containing "help" to seandroid-list-requ...@tycho.nsa.gov.
