Hello, I apologize for the delay.
On Tuesday, March 14, 2017 7:42:27 AM EDT Martin Kletzander wrote: > I am going through the fields in the dictionary and I can't find any > name to use for the following scenario. > > We (libvirt) are running virtual machines and there's a thing nowadays, > that people like to use, called ivshmem (Inter-VM SHared MEMory). From > host's point of view this is just a shared memory region accessed by > multiple VMs (and possibly to host as well). The machine maps the > shared memory given a name (e.g. name "asdf" results in /dev/shm/asdf to > be mapped) *or* it can communicate with a server over UNIX socket and > that server handles interrupts and also tells the client which shared > memory region to map. If both of these result in a path, then I think we want to log it as a resource event. > Talking about information we have; in server-less > setup it's the shared memory region that is shared, in the server > scenario it is the socket. That's information we can output. Above you mentioned that the server communicates which region to map. Can you explain what that means? > So my question is, when starting a domain or hot-(un)plugging, what > naming should we use for this kind of device and what are the things > that we should describe about it? Basically, how would you like the > message to look? We need a record recording what is getting assigned to the VM. In the case of the /dev/shm, you can record that as a path which must be escaped. In the case of the server, I think we still need to understand what is happening. Just recording a socket number or path is not terribly useful in reconstructing the resources given to the VM. Audit events have to tell a story. There is a subect, object, action, and results. It kind of needs to be a sentence. "libvirtd successfully assigned ____ to vm-name." -Steve > Thanks in advance for any info. > > Have a nice day, > Martin -- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
