On Wed, Apr 09 2014 at 10:19, Steve Grubb wrote:
> Missing INTEGRITY_RULE
IMA with an 'audit' rule generates INTEGRITY_RULE messages.
--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit
On Wed, Apr 9, 2014 at 5:08 PM, Steve Grubb wrote:
>
> This is a requirement. I do not advocate "tricking" user space.
It's not about tricking user space. This is how we used to behave.
ECONNREFUSED is what you got in a non-init namespace. So this is a
*regression fix*, not some kind of trick.
A
All,
I'll start going through these references to see how complete (based on
current mainstream Linux deployments) a set of events I can get and
report back.
Regards
Burn
On Wed, 2014-04-09 at 13:19 -0400, Steve Grubb wrote:
> On Wednesday, April 09, 2014 04:25:26 PM Burn Alting wrote:
> > Does
On Sunday, March 30, 2014 07:07:54 PM Eric Paris wrote:
> It its possible to configure your PAM stack to refuse login if
> audit messages (about the login) were unable to be sent. This is common
> in many distros and thus normal configuration of many containers. The
> PAM modules determine if audi
On Wednesday, April 09, 2014 04:25:26 PM Burn Alting wrote:
> Does there exist a repository of audit events that could be used to test
> changes to the audit parsing code?
I don't have one. My count is that there are 144 known events. I created a
testing tool, ausearch-test, that is located here:
To the best of my knowledge there is no way to generate every record
type. I did send sgrubb the beginnings of me trying to write a suite of
programs to exercise some of them for hopeful eventual inclusion in the
auparse checker tool...
I really think such a thing would be useful...
On Wed, 2014
On Apr 8, 2014, at 11:25 PM, Burn Alting wrote:
> All,
>
> Does there exist a repository of audit events that could be used to test
> changes to the audit parsing code?
>
> Although turning on
>
> -a always,exit -F arch=b32 -S all
> and
> -a always,exit -F arch=b64 -S all
>
> for a while do
On Apr 9, 2014, at 8:24 AM, Satish Chandra Kilaru wrote:
> Someone might look for this info in the future...
>
> AUDIT_ADD_GROUP " User space group added "
> AUDIT_ADD_USER " User space user account added "
> AUDIT_ANOM_ABEND " Process ended abnormally “
> ...
Thanks!!!
Todd
--
Linux-a
Someone might look for this info in the future...
AUDIT_ADD_GROUP " User space group added "
AUDIT_ADD_USER " User space user account added "
AUDIT_ANOM_ABEND " Process ended abnormally "
AUDIT_ANOM_ACCESS_FS Access of file or dir
AUDIT_ANOM_ADD_ACCT Adding an acct
AUDIT_ANOM_AMTU_FAIL
