On 2017-01-17 21:34, Richard Guy Briggs wrote:
> On 2017-01-17 15:17, Paul Moore wrote:
> > On Tue, Jan 17, 2017 at 11:12 AM, Richard Guy Briggs
> > wrote:
> > > On 2017-01-17 08:55, Steve Grubb wrote:
> > >> On Tuesday, January 17, 2017 12:25:51 AM EST Richard Guy Briggs wrote:
> >
> > ...
> >
On 2017-01-17 15:17, Paul Moore wrote:
> On Tue, Jan 17, 2017 at 11:12 AM, Richard Guy Briggs wrote:
> > On 2017-01-17 08:55, Steve Grubb wrote:
> >> On Tuesday, January 17, 2017 12:25:51 AM EST Richard Guy Briggs wrote:
>
> ...
>
> >> > Ones that are not so straightforward:
> >> > - "secmark" d
On Tue, Jan 17, 2017 at 11:12 AM, Richard Guy Briggs wrote:
> On 2017-01-17 08:55, Steve Grubb wrote:
>> On Tuesday, January 17, 2017 12:25:51 AM EST Richard Guy Briggs wrote:
...
>> > Ones that are not so straightforward:
>> > - "secmark" depends on a kernel config setting, so should it always
On Tuesday, January 17, 2017 11:29:43 AM EST Richard Guy Briggs wrote:
> On 2017-01-17 11:12, Richard Guy Briggs wrote:
> > On 2017-01-17 08:55, Steve Grubb wrote:
> > > On Tuesday, January 17, 2017 12:25:51 AM EST Richard Guy Briggs wrote:
> > > > I'm just starting to look at the normalization of
On 2017-01-17 11:12, Richard Guy Briggs wrote:
> On 2017-01-17 08:55, Steve Grubb wrote:
> > On Tuesday, January 17, 2017 12:25:51 AM EST Richard Guy Briggs wrote:
> > > I'm just starting to look at the normalization of AUDIT_NETFILTER_PKT
> > > event messages and it is not quite as straightforward
From: Richard Guy Briggs
Date: Tue, 17 Jan 2017 11:07:15 -0500
> 32-bit socketcalls were not being logged by audit on x86_64 systems.
> Log them. This is basically a duplicate of the call from
> net/socket.c:sys_socketcall(), but it addresses the impedance mismatch
> between 32-bit userspace pro
On 2017-01-17 08:55, Steve Grubb wrote:
> On Tuesday, January 17, 2017 12:25:51 AM EST Richard Guy Briggs wrote:
> > I'm just starting to look at the normalization of AUDIT_NETFILTER_PKT
> > event messages and it is not quite as straightforward as I had expected.
> >
> > It is being tracked here:
32-bit socketcalls were not being logged by audit on x86_64 systems.
Log them. This is basically a duplicate of the call from
net/socket.c:sys_socketcall(), but it addresses the impedance mismatch
between 32-bit userspace process and 64-bit kernel audit.
See: https://github.com/linux-audit/audit-
On 2017-01-17 09:07, Steve Grubb wrote:
> Hell Richard,
>
> While we're in the NETFILTER area, the CFG event is lacking some fields, too.
> Its currently:
>
> table,family,entries
>
> its missing everything about *who* sent it:
> pid,uid,auid,ses,subj,exe,res
>
> I'd suggest:
>
> pid,uid,auid
On Tue, Jan 17, 2017 at 9:43 AM, Steve Grubb wrote:
> On Tuesday, January 17, 2017 9:24:46 AM EST Paul Moore wrote:
>> On Tue, Jan 17, 2017 at 9:07 AM, Steve Grubb wrote:
>> > Incidentally, I created a
>> > chart that shows how each record type is alike and different from every
>> > other record.
On Tuesday, January 17, 2017 9:24:46 AM EST Paul Moore wrote:
> On Tue, Jan 17, 2017 at 9:07 AM, Steve Grubb wrote:
> > Incidentally, I created a
> > chart that shows how each record type is alike and different from every
> > other record. You might call it a record grammar tree:
> >
> > http://p
On Tue, Jan 17, 2017 at 9:07 AM, Steve Grubb wrote:
> Incidentally, I created a
> chart that shows how each record type is alike and different from every other
> record. You might call it a record grammar tree:
>
> http://people.redhat.com/sgrubb/audit/record-fields.html
This seems like something
Hell Richard,
While we're in the NETFILTER area, the CFG event is lacking some fields, too.
Its currently:
table,family,entries
its missing everything about *who* sent it:
pid,uid,auid,ses,subj,exe,res
I'd suggest:
pid,uid,auid,ses,subj,table,family,entries,exe,res
to make it compatible with
On Tuesday, January 17, 2017 12:25:51 AM EST Richard Guy Briggs wrote:
> I'm just starting to look at the normalization of AUDIT_NETFILTER_PKT
> event messages and it is not quite as straightforward as I had expected.
>
> It is being tracked here:
> https://github.com/linux-audit/audit-kerne
On Mon, Jan 16, 2017 at 10:53 PM, Richard Guy Briggs wrote:
> On 2017-01-16 15:04, Paul Moore wrote:
>> On Fri, Jan 13, 2017 at 9:42 AM, Eric Paris wrote:
>> > On Fri, 2017-01-13 at 04:51 -0500, Richard Guy Briggs wrote:
>> >> diff --git a/include/linux/audit.h b/include/linux/audit.h
>> >> index
15 matches
Mail list logo
