Hi all,
I'm writing a custom user-land auditd client subscribing to kauditd to monitor a
number of system calls that we are interested. My auditd client seems to work
fine in overall but I found unexpected behavior of auditd framework which slows
down (or sometimes freezes) the entire system as
Steve,
Thanks for taking a look at my patch.
On Wed, Jul 15, 2015 at 3:38 PM, Steve Grubb sgr...@redhat.com wrote:
On Thursday, May 28, 2015 08:04:05 AM Clayton Shotwell wrote:
During the audit build, several lookup tables are generated as header
files that are then linked in with the
On Thursday, July 16, 2015 08:38:22 AM Kangkook Jee wrote:
I'm writing a custom user-land auditd client subscribing to kauditd to
monitor a number of system calls that we are interested. My auditd client
seems to work fine in overall but I found unexpected behavior of auditd
framework which
During the audit build, several lookup tables are generated as header
files that are then linked in with the executables. This process is done
by a C application that needs to be able to be run on the host. The
current Makfile structure tries to build these executables for the
target instead of
On Tuesday, July 14, 2015 11:40:42 AM Richard Guy Briggs wrote:
The audit watch parent count was imbalanced, adding an unnecessary layer of
watch parent references. Decrement the additional parent reference when a
watch is reused, already having a reference to the parent.
Signed-off-by:
On Thursday, July 16, 2015 03:31:56 PM Clayton Shotwell wrote:
This is revision 2 of this patch and is a complete rework of the
original patch. I have tested that it builds on an x86_64 ubuntu
platform and tested it running on an ARM cross compile platform.
Thanks! Applied. Starting release
On Tuesday, July 14, 2015 11:40:41 AM Richard Guy Briggs wrote:
The audit watch count was imbalanced, adding an unnecessary layer of watch
references. Only add the second reference when it is added to a parent.
Signed-off-by: Richard Guy Briggs r...@redhat.com
---
kernel/audit_watch.c |
On Thursday, July 16, 2015 10:01:28 PM Richard Guy Briggs wrote:
On 15/07/16, Paul Moore wrote:
On Tuesday, July 14, 2015 11:50:26 AM Richard Guy Briggs wrote:
Make this interface consistent with watch and filter key, avoiding the
extra string copy and simply consume the new string
I have to admit, I'm partial to not merging this (with the other
patches). Changing object lifetimes in what i seem to remember is long
standing code (auditfilter, not auditexe) seems to me like something we
really would want to be git bisectable, not mushed with an unrelated
feature addition.
On Thursday, July 16, 2015 10:01:30 PM Eric Paris wrote:
I have to admit, I'm partial to not merging this (with the other
patches). Changing object lifetimes in what i seem to remember is long
standing code (auditfilter, not auditexe) seems to me like something we
really would want to be git
On 15/07/16, Paul Moore wrote:
On Tuesday, July 14, 2015 11:50:25 AM Richard Guy Briggs wrote:
Instead of just hard coding the ino and dev of the executable we care
about at the moment the rule is inserted into the kernel, use the new
audit_fsnotify infrastructure. This means that if the
On 15/07/16, Paul Moore wrote:
On Tuesday, July 14, 2015 11:50:26 AM Richard Guy Briggs wrote:
Make this interface consistent with watch and filter key, avoiding the extra
string copy and simply consume the new string pointer.
Signed-off-by: Richard Guy Briggs r...@redhat.com
---
On Tuesday, July 14, 2015 11:50:25 AM Richard Guy Briggs wrote:
Instead of just hard coding the ino and dev of the executable we care
about at the moment the rule is inserted into the kernel, use the new
audit_fsnotify infrastructure. This means that if the inode in question
is unlinked and
On Tuesday, July 14, 2015 11:50:26 AM Richard Guy Briggs wrote:
Make this interface consistent with watch and filter key, avoiding the extra
string copy and simply consume the new string pointer.
Signed-off-by: Richard Guy Briggs r...@redhat.com
---
kernel/audit_exe.c |8 ++--
On 15/07/16, Paul Moore wrote:
On Tuesday, July 14, 2015 11:40:42 AM Richard Guy Briggs wrote:
The audit watch parent count was imbalanced, adding an unnecessary layer of
watch parent references. Decrement the additional parent reference when a
watch is reused, already having a reference
On Tuesday, July 14, 2015 11:50:24 AM Richard Guy Briggs wrote:
This is to be used to audit by executable rules, but audit watches
should be able to share this code eventually.
At the moment the audit watch code is a lot more complex, that code only
creates one fsnotify watch per parent
On Tuesday, July 14, 2015 11:50:23 AM Richard Guy Briggs wrote:
From: Eric Paris epa...@redhat.com
This patch implements the ability to filter on the executable. It is
clearly incomplete! This patch adds the inode/dev of the executable at
the moment the rule is loaded. It does not update
On 15/07/16, Paul Moore wrote:
On Tuesday, July 14, 2015 11:40:41 AM Richard Guy Briggs wrote:
The audit watch count was imbalanced, adding an unnecessary layer of watch
references. Only add the second reference when it is added to a parent.
Signed-off-by: Richard Guy Briggs
Hello,
I've just released a new version of the audit daemon. It can be downloaded
from http://people.redhat.com/sgrubb/audit. It will also be in rawhide
soon. The ChangeLog is:
- Add python3 support for libaudit
- Cleanup automake warnings
- Add AuParser_search_add_timestamp_item_ex to python
19 matches
Mail list logo