On Mon, 2005-01-03 at 11:52, Steve G wrote:
This is good to know. I am working on the audit daemon and noticed
that avc
messages usually wind up in syslog *even if* the audit daemon is running. I see
"real" audit messages going to /var/log/audit.log and scrolling dbus avc
messages
in /var/log/messages both at the same time.
Not sure how the kernel decides where to send each of these...but they do go to
different places on my machine.
dbusd avc audit messages are generated by libselinux using a callback
function provided by dbusd, and dbusd likely is just using syslog()
rather than communicating with the audit daemon. The kernel audit
framework isn't involved in that path. You'll need to change the
callback function provided by dbusd to instead send an AUDIT_USER
message with the audit data (or alternatively, have it talk directly to
the audit daemon).
For the kernel, the relevant code is audit_log_drain() in
kernel/audit.c. That checks whether audit_pid has been set, and if so,
it sends the audit message to that process; otherwise, it ends up
calling printk to send via klogd.
--
Stephen Smalley <sds(a)epoch.ncsc.mil>
National Security Agency