Hi,
On kernel Access Vector Cache (AVC) initialization, there is an audit KERNEL
type message logged to announce this fact.
The general format of audit messages are label=value pair fields. Steve Grubb
has been asking to have these records normalized by having a predictable set of
field labels present.
There already exists an audit KERNEL message giving audit state which has been
normalized thus:
"state=initialized audit_enabled=%u res=1"
The AVC initialization audit message doesn't currently fit that format:
"AVC INITIALIZED"
I'd created an issue to normalize the AVC initialization along these lines or
to have it move to a new message type and Paul Moore is questioning whether
this message is required at all:
https://github.com/linux-audit/audit-kernel/issues/48
Can this message simply be eliminated?
Thanks!
- RGB
--
Richard Guy Briggs <rgb@xxxxxxxxxx>
Sr. S/W Engineer, Kernel Security, Base Operating Systems
Remote, Ottawa, Red Hat Canada
IRC: rgb, SunRaycer
Voice: +1.647.777.2635, Internal: (81) 32635
