Stephen Smalley wrote:
On 10/06/2014 11:50 PM, William Roberts wrote:
I haven't really spent much time with the audit rule support patched
into auditd. Typically, if I wanted audit system logs, I would patch
the kernel setting some integer to 1. Not really the best, but it
worked. I think the tuna omap kernel was patched with it.
The result was whenever a denial occurred, I ended up with the whole
syscall trace of that event. Is their a way to enable that behavior
with the audit rules support?
My understanding is no, since it only has -e and -w support, and we
would need -s, is that correct?
IIRC, we had auditd call audit_set_enabled(audit_fd, 1), which turned on
It did.
the syscall audit collection, and if you further wanted the pathname
collection, you could define a watch on any file and it would start
collecting pathnames in general.
We dropped auditd from our trees when it became clear that AOSP wanted
to handle it via logd instead. But no one has added the audit watch
functionality to logd.
Yeah, I was hoping to get around to doing this, unsure if Google would
accept it though.
_______________________________________________
Seandroid-list mailing list
[email protected]
To unsubscribe, send email to [email protected].
To get help, send an email containing "help" to
[email protected].
