BUG: the AUDIT_MAC_POLICY_LOAD event is not well-formed

linux-audit / audit-kernel

GitHub mirror of the Linux Kernel's audit repository

https://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/audit.git

Other

140 stars 37 forks source link

BUG: the AUDIT_MAC_POLICY_LOAD event is not well-formed #27

Closed stevegrubb closed 7 years ago

stevegrubb commented 8 years ago

The AUDIT_MAC_POLICY_LOAD event is missing some information:

type=MAC_POLICY_LOAD msg=audit(1479299795.404:43): policy loaded auid=4294967295 ses=4294967295

There should be results even if its hard coded as success. Also, what policy version got loaded (ok if not available), which MAC framework (selinux/smack/apparmor), and uid might be useful in telling if the user had changed accounts.

stevegrubb commented 8 years ago

The record also has dangling text "policy loaded". That is implied by the record type and could be dropped.

stevegrubb commented 8 years ago

Decided to post a patch for this: https://www.redhat.com/archives/linux-audit/2016-November/msg00025.html

pcmoore commented 7 years ago

Now being tracked in #47.