[patch] Syscall auditing - move "name=" field to the end
From: Ondrej Zary
Date: Wed Mar 16 2005 - 16:42:56 EST
This patch moves the "name=" field to the end of audit records. The
original placement is bad because it cannot be properly parsed. It is
impossible to tell if the name is "/bin/true" or "/bin/true inode=469634
dev=00:00" because the "inode=" and "dev=" fields can be omitted.
Before:
audit(1111008486.824:89346): item=0 name=/bin/true inode=469634 dev=00:00
After:
audit(1111008486.824:89346): item=0 inode=469634 dev=00:00 name=/bin/true
Signed-off-by: Ondrej Zary <linux@xxxxxxxxxxxxxxxxxxxx>
--
Ondrej Zary
--- linux-2.6.11/kernel/auditsc.c~ 2005-03-16 22:13:22.000000000 +0100
+++ linux-2.6.11/kernel/auditsc.c 2005-03-16 22:13:22.000000000 +0100
@@ -612,9 +612,6 @@
if (!ab)
continue; /* audit_panic has been called */
audit_log_format(ab, "item=%d", i);
- if (context->names[i].name)
- audit_log_format(ab, " name=%s",
- context->names[i].name);
if (context->names[i].ino != (unsigned long)-1)
audit_log_format(ab, " inode=%lu",
context->names[i].ino);
@@ -624,6 +621,9 @@
audit_log_format(ab, " dev=%02x:%02x",
MAJOR(context->names[i].rdev),
MINOR(context->names[i].rdev));
+ if (context->names[i].name)
+ audit_log_format(ab, " name=%s",
+ context->names[i].name);
audit_log_end(ab);
}
}