All,
Does there exist a repository of audit events that could be used to test
changes to the audit parsing code?
Although turning on
-a always,exit -F arch=b32 -S all
and
-a always,exit -F arch=b64 -S all
for a while does tend to generate a lot of audit, but it's clearly not
exhaustive so I
Someone might look for this info in the future...
AUDIT_ADD_GROUPUser space group added
AUDIT_ADD_USERUser space user account added
AUDIT_ANOM_ABENDProcess ended abnormally
AUDIT_ANOM_ACCESS_FS Access of file or dir
AUDIT_ANOM_ADD_ACCT Adding an acct
AUDIT_ANOM_AMTU_FAIL AMTU
On Apr 9, 2014, at 8:24 AM, Satish Chandra Kilaru iam.kil...@gmail.com wrote:
Someone might look for this info in the future...
AUDIT_ADD_GROUPUser space group added
AUDIT_ADD_USERUser space user account added
AUDIT_ANOM_ABENDProcess ended abnormally “
...
Thanks!!!
Todd
On Apr 8, 2014, at 11:25 PM, Burn Alting b...@swtf.dyndns.org wrote:
All,
Does there exist a repository of audit events that could be used to test
changes to the audit parsing code?
Although turning on
-a always,exit -F arch=b32 -S all
and
-a always,exit -F arch=b64 -S all
for a
To the best of my knowledge there is no way to generate every record
type. I did send sgrubb the beginnings of me trying to write a suite of
programs to exercise some of them for hopeful eventual inclusion in the
auparse checker tool...
I really think such a thing would be useful...
On Wed,
On Sunday, March 30, 2014 07:07:54 PM Eric Paris wrote:
It its possible to configure your PAM stack to refuse login if
audit messages (about the login) were unable to be sent. This is common
in many distros and thus normal configuration of many containers. The
PAM modules determine if audit
All,
I'll start going through these references to see how complete (based on
current mainstream Linux deployments) a set of events I can get and
report back.
Regards
Burn
On Wed, 2014-04-09 at 13:19 -0400, Steve Grubb wrote:
On Wednesday, April 09, 2014 04:25:26 PM Burn Alting wrote:
Does
On Wed, Apr 9, 2014 at 5:08 PM, Steve Grubb sgr...@redhat.com wrote:
This is a requirement. I do not advocate tricking user space.
It's not about tricking user space. This is how we used to behave.
ECONNREFUSED is what you got in a non-init namespace. So this is a
*regression fix*, not some
On Wed, Apr 09 2014 at 10:19, Steve Grubb wrote:
Missing INTEGRITY_RULE
IMA with an 'audit' rule generates INTEGRITY_RULE messages.
--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit