Re: [PATCH] filterexcl: allow filterkey

On 2017-06-12 20:05, Steve Grubb wrote: > On Tuesday, April 4, 2017 6:39:22 AM EDT Richard Guy Briggs wrote: > > The exclude rules did not permit a filterkey to be added. This isn't as > > important for the exclude filter compared to the others since no records are > > generated with that key, but

Re: [PATCH] filter: add path filter with fstype

On 2017-06-12 20:28, Steve Grubb wrote: > Hello, Hi (swapping in this task after > 2 months...) > This patch needs to be refactored to match the current count of error > messages > in err_msgtab. > > What error message is emitted when run on a kernel that does not support the > new filter? -

[PATCH] capabilities: add field names for ambient capabilities

Linux kernel capabilities were augmented to include ambient capabilities in v4.3 commit 58319057b784 ("capabilities: ambient capabilities"). Add interpretation types for cap_pa, old_pa, pa. The record contains fields "old_pp", "old_pi", "old_pe", "new_pp", "new_pi", "new_pe" so in keeping with th

[PATCH] auparse: do not interpret fE as a capability field

The file effective capability is a boolean. It is being interpreted as the capability "chown" by auparse. Just print its raw value. An example from an execve syscall: type=BPRM_FCAPS msg=audit(03/07/2017 17:29:56.494:969) : fver=2 fp=sys_admin fi=none fe=chown old_pp=none old_pi=none old_pe=non

Re: [PATCH] filter: add path filter with fstype

Hello, This patch needs to be refactored to match the current count of error messages in err_msgtab. What error message is emitted when run on a kernel that does not support the new filter? On Tuesday, April 4, 2017 6:40:18 AM EDT Richard Guy Briggs wrote: > Tracefs or debugfs were causing hun

Re: [PATCH] filterexcl: allow filterkey

On Tuesday, April 4, 2017 6:39:22 AM EDT Richard Guy Briggs wrote: > The exclude rules did not permit a filterkey to be added. This isn't as > important for the exclude filter compared to the others since no records are > generated with that key, but still helps identify rules in the rules list >

Re: [PATCH] filterkey: add errormsg reporting

On Tuesday, April 4, 2017 6:38:41 AM EDT Richard Guy Briggs wrote: > Call errormsg after processing filterkey to speed up debugging. Applied. Thanks! -Steve > See: https://github.com/linux-audit/audit-userspace/issues/13 > > Signed-off-by: Richard Guy Briggs > --- > src/auditctl.c |4 +++-

Re: [PATCH] audit: style fix

On Sun, Jun 11, 2017 at 10:33 PM, Derek Robson wrote: > Fixed checkpatch.pl warnings of "function definition argument FOO > should also have an identifier name" > > Signed-off-by: Derek Robson > --- > kernel/audit.h | 28 ++-- > 1 file changed, 14 insertions(+), 14 delet

Re: Auditing file access by application

Okay thank you both. I'll look into dbus as a possible solution. By the way this is a CentOS 6.9 box running kernel 2.6.32-696.1.1.el6.i686 ___ John Petrini NOC Systems Administrator // *CoreDial, LLC* // coredial.com // [image: Twitter] [image: Linked

Re: Auditing file access by application

Hello, On Monday, June 12, 2017 10:20:15 AM EDT John Petrini wrote: > We have a need to monitor voicemail directories for any sort of access. > Basically there is only one application that should be accessing the files. > If anything else accesses the files we need to log that. > > We setup the f

Re: Auditing file access by application

On 2017-06-12 11:31, John Petrini wrote: > Hi Richard. > > It looks like the -F exe= option is not supported at all regardless of > negation. > > Starting auditd: [ OK ] > -F unknown field: exe Support is upstream in Linux kernel v4.3 and userspace aud

Re: Auditing file access by application

Hi Richard. It looks like the -F exe= option is not supported at all regardless of negation. Starting auditd: [ OK ] -F unknown field: exe ___ John Petrini -- Linux-audit mailing list Linux-audit@redhat.com https://www.redhat.com/mailman/listinfo/lin

Re: Auditing file access by application

On 2017-06-12 10:20, John Petrini wrote: > Hello, Hi John, > We have a need to monitor voicemail directories for any sort of access. > Basically there is only one application that should be accessing the files. > If anything else accesses the files we need to log that. > > We setup the following

Auditing file access by application

Hello, We have a need to monitor voicemail directories for any sort of access. Basically there is only one application that should be accessing the files. If anything else accesses the files we need to log that. We setup the following to accomplish this but it's doesn't quite do what we want. -a

Re: [PATCH] audit: style fix

On 2017-06-12 14:33, Derek Robson wrote: > Fixed checkpatch.pl warnings of "function definition argument FOO > should also have an identifier name" > > Signed-off-by: Derek Robson Sounds reasonable. Reviewed-by: Richard Guy Briggs > --- > kernel/audit.h | 28 ++-- > 1

[PATCH] audit: style fix

Fixed checkpatch.pl warnings of "function definition argument FOO should also have an identifier name" Signed-off-by: Derek Robson --- kernel/audit.h | 28 ++-- 1 file changed, 14 insertions(+), 14 deletions(-) diff --git a/kernel/audit.h b/kernel/audit.h index ddfce2ea