Klaus Heinrich Kiwi wrote:
Hi,
when I started building my dispatcher plug-in, I assumed that I'd only
need the fields values in each record to have all the data I needed. My
plug-in for remote logging aimed at consolidating the audit data in
another server, so I probably need all the audit
(sorry about the html posting)
John Dennis [EMAIL PROTECTED] wrote on 11/14/2007 09:30:16 AM:
original record:
type=LOGIN msg=audit(1193547601.367:36782): login pid=11698 uid=0 old
auid=4294967295 new auid=0
---walk_test()
event 1 has 1 records
record 1 of type 1006(LOGIN)
On Tuesday 13 November 2007 18:30:45 Klaus Heinrich Kiwi wrote:
Example record:
type=USER_CHAUTHTOK msg=audit(1194995431.057:58485): user pid=30759
uid=0 auid=0 subj=root:system_r:unconfined_t:s0-s0:c0.c1023
msg='op=adding user to shadow group acct=klausk
exe=/usr/sbin/usermod (hostname=?,
On Wednesday 14 November 2007 10:24:46 [EMAIL PROTECTED] wrote:
It seems like a field value cannot contain any spaces,
Correct. I've mentioned that many times in different code reviews. You can add
data to the field for human use, but it won't be associated with the field's
value directly.
On Friday 09 November 2007 14:56:05 [EMAIL PROTECTED] wrote:
See that 'r-machine' and 'r-syscall' are only filled when the 'arch'
field in found in the 2nd position, and syscall in the 3rd position
respectively. That is not true when the dispatcher is appending a 'node='
field to each record.
When a syscall gets interrupted by a signal and that signal is set to
not restart the syscall its return code will get collected by the audit
system before the registers are changed to the userspace valid EINTR;
See the discussion in include/linux/errno.h
Thus it is possible to get a syscall
On Wednesday 14 November 2007 15:22:08 Eric Paris wrote:
+ if (unlikely((return_code == -ERESTART_RESTARTBLOCK) ||
+ (return_code == -ERESTARTNOHAND) ||
+ (return_code == -ERESTARTSYS) ||
+ (return_code == -ERESTARTNOINTR)))
Would
On Wednesday 14 November 2007 3:22:08 pm Eric Paris wrote:
When a syscall gets interrupted by a signal and that signal is set to
not restart the syscall its return code will get collected by the audit
system before the registers are changed to the userspace valid EINTR;
See the discussion in
On Wed, 2007-11-14 at 15:30 -0500, Steve Grubb wrote:
On Wednesday 14 November 2007 15:22:08 Eric Paris wrote:
+ if (unlikely((return_code == -ERESTART_RESTARTBLOCK) ||
+(return_code == -ERESTARTNOHAND) ||
+(return_code == -ERESTARTSYS) ||
+
Steve Grubb napsal(a):
On Wednesday 14 November 2007 15:22:08 Eric Paris wrote:
+ if (unlikely((return_code == -ERESTART_RESTARTBLOCK) ||
+(return_code == -ERESTARTNOHAND) ||
+(return_code == -ERESTARTSYS) ||
+(return_code ==
On Wednesday 14 November 2007 16:07:42 Eric Paris wrote:
It should be slightly faster snip
We would also be picking up ENOIOCTLCMD but that shoudln't be seen on
this code path, so I guess it doesn't matter.
Right, the note in the top of include/linux/errno.h says these should not be
seen by
11 matches
Mail list logo