Re: [PATCH V9 3/3] audit: add audit by children of executable path

2015-08-07 Thread Richard Guy Briggs
On 15/08/07, Paul Moore wrote: > On Fri, Aug 7, 2015 at 12:03 PM, Richard Guy Briggs wrote: > > On 15/08/07, Paul Moore wrote: > >> On Friday, August 07, 2015 02:37:15 AM Richard Guy Briggs wrote: > >> > On 15/08/06, Paul Moore wrote: > >> > > >> > > I guess what I'm saying is that I'm not current

Re: [PATCH V9 3/3] audit: add audit by children of executable path

2015-08-07 Thread Paul Moore
On Fri, Aug 7, 2015 at 12:03 PM, Richard Guy Briggs wrote: > On 15/08/07, Paul Moore wrote: >> On Friday, August 07, 2015 02:37:15 AM Richard Guy Briggs wrote: >> > On 15/08/06, Paul Moore wrote: >> > >> > > I guess what I'm saying is that I'm not currently convinced that >> > > there is enough va

Re: [PATCH V9 3/3] audit: add audit by children of executable path

2015-08-07 Thread Richard Guy Briggs
On 15/08/07, Paul Moore wrote: > On Friday, August 07, 2015 02:37:15 AM Richard Guy Briggs wrote: > > On 15/08/06, Paul Moore wrote: > > > > > I guess what I'm saying is that I'm not currently convinced that > > > there is enough value in this to offset the risk I feel the loop > > > presents. I un

Re: [PATCH V9 3/3] audit: add audit by children of executable path

2015-08-07 Thread Paul Moore
On Friday, August 07, 2015 02:37:15 AM Richard Guy Briggs wrote: > On 15/08/06, Paul Moore wrote: > > > I guess what I'm saying is that I'm not currently convinced that > > there is enough value in this to offset the risk I feel the loop > > presents. I understand the use cases that you are mention

Re: [PATCH V9 2/3] audit: implement audit by executable

2015-08-07 Thread Paul Moore
On Friday, August 07, 2015 02:25:14 AM Richard Guy Briggs wrote: > On 15/08/06, Paul Moore wrote: > > > Merged, although some more minor whitespace tweaks were necessary for > > checkpatch. On a related note, if you're not running > > ./scripts/checlpatch.pl on your patches before sending them out

Re: [PATCH V4 (was V6)] audit: use macros for unset inode and device values

2015-08-07 Thread Paul Moore
On Thursday, August 06, 2015 02:31:57 PM Casey Schaufler wrote: > I remember the Orange Book days when we were *required* to audit by > dev/inode because it was the only true way to identify the object. Yes, > it's analogous to auditing the pid, but we had to audit by that, too. The > dev/indode an

Re: [PATCH V9 3/3] audit: add audit by children of executable path

2015-08-07 Thread Richard Guy Briggs
On 15/08/06, Paul Moore wrote: > On August 6, 2015 5:11:50 PM Steve Grubb wrote: > > >On Thursday, August 06, 2015 04:24:58 PM Paul Moore wrote: > >> On Wednesday, August 05, 2015 04:29:38 PM Richard Guy Briggs wrote: > >> > This adds the ability to audit the actions of children of a > >> > not-y