On Thursday, November 07, 2013 11:11:09 AM Steve Grubb wrote: > On Thursday, November 07, 2013 10:42:21 AM Eric Paris wrote: > > > I am confused. This is the abnormal end event I have: > > > > > > > > > type=ANOM_ABEND msg=audit(1303339663.307:142): auid=4325 uid=0 gid=0 > > > ses=1 > > > subj=unconfined_u:unconfined_r:unconfined_t:s0 pid=3775 comm="aureport" > > > sig=11> > > > > > > > > > Why / when did we start adding text explanations? We should not do that. > > > We didn't have it before and it should not have been added. The signal > > > number is enough to identify the problem. > > > > We started adding a reason when seccomp started sending ANOM_ABEND > > events as well. It doesn't do so with a signal. Agreed, the " " is/was > > a bad idea... > > Does seccomp still send these? I see there is an AUDIT_SECCOMP event being > sent by __audit_seccomp(). Does seccomp do anything with ABEND at this > point?
As far as I can see via grepping around, seccomp does not call audit_log_abend(). As a matter of fact, only audit_core_dumps() does. meaning there is no reason for audit_log_abend anymore. Its code can be pushed back into audit_core_dumps() and the reason= can be removed entirely. -Steve -- Linux-audit mailing list Linux-audit@redhat.com https://www.redhat.com/mailman/listinfo/linux-audit