On Tue, May 3, 2022 at 5:02 AM Sven Schnelle <[email protected]> wrote: > > For automated filtering/testing it is useful to have the > filter key logged in the message. > > Signed-off-by: Sven Schnelle <[email protected]> > --- > kernel/auditsc.c | 1 + > 1 file changed, 1 insertion(+)
The SOCKETCALL record, along with all of the others generated inside show_special(), are associated with a SYSCALL record which carries the "key=" field. As a general rule we try very hard not to duplicate fields across records in a single audit event. > diff --git a/kernel/auditsc.c b/kernel/auditsc.c > index c856893041c9..2e349660a56f 100644 > --- a/kernel/auditsc.c > +++ b/kernel/auditsc.c > @@ -1508,6 +1508,7 @@ static void show_special(struct audit_context *context, > int *call_panic) > audit_log_time(context, &ab); > break; > } > + audit_log_key(ab, context->filterkey); > audit_log_end(ab); > } > > -- > 2.32.0 -- paul-moore.com -- Linux-audit mailing list [email protected] https://listman.redhat.com/mailman/listinfo/linux-audit
