On Tuesday, June 03, 2014 01:28:40 PM Briane Lin wrote:
> We are unable to properly monitor an event with AUID=unset, does anyone
> know why we are currently seeing these and what is the resolution?
If you have an unset auid and its supposed to be meaningful, then the way that
people are logging
We are receiving LINUX RHEL versions 5 and 6 in our environment with
type=SYSCALL and auid=unset event types.
We are unable to properly monitor an event with AUID=unset, does anyone
know why we are currently seeing these and what is the resolution?
Thanks!
Briane Lin
IBM Global Technology Serv
On 06/03/2014 07:47 AM, Steve Grubb wrote:
> Yep. So, the question is really how to fix this. Should we have a different
> function that is swung in with #ifdef WITH_APPARMOR called parse_aa_avc? Then
> it can be tuned exactly for AppArmor's needs? Later, the kernel event number
> can be changed
On Monday, June 02, 2014 06:00:54 PM Tony Jones wrote:
> On 05/29/2014 01:31 AM, Tyler Hicks wrote:
> > I'm surprised that this patch makes ausearch work correctly for AppArmor
> > AVC events. The first thing that parse_avc() does is look for the
> > "avc: " term in the AVCs that SELinux generates.