The audit subsystem allows selecting audit events based on watches for
a particular behavior like writing to a file. A lot of syscalls have
been added without updating the list. This patch adds 2 syscalls to the
write filters: fallocate and renameat2.
Signed-off-by: sgrubb
---
include/asm-generi
On Thu, Oct 12, 2017 at 8:34 PM, Steve Grubb wrote:
> On Thursday, October 12, 2017 6:51:19 PM EDT Paul Moore wrote:
>> On Thu, Oct 12, 2017 at 6:13 PM, Steve Grubb wrote:
>> > On Thursday, October 12, 2017 5:04:41 PM EDT Paul Moore wrote:
>> >> Another reminder that in general I'm not going to a
On Thursday, October 12, 2017 6:51:19 PM EDT Paul Moore wrote:
> On Thu, Oct 12, 2017 at 6:13 PM, Steve Grubb wrote:
> > On Thursday, October 12, 2017 5:04:41 PM EDT Paul Moore wrote:
> >> Another reminder that in general I'm not going to accept patches that
> >> shuffle the fields or insert field
On Thu, Oct 12, 2017 at 6:13 PM, Steve Grubb wrote:
> On Thursday, October 12, 2017 5:04:41 PM EDT Paul Moore wrote:
>> Another reminder that in general I'm not going to accept patches that
>> shuffle the fields or insert fields in the middle of a record; if you
>> want to add new fields to a reco
On Thursday, October 12, 2017 5:04:41 PM EDT Paul Moore wrote:
> On Thu, Oct 12, 2017 at 3:57 PM, Steve Grubb wrote:
> > There are very important fields necessary to understand who is adding
> > audit rules and a little more context about the environment in which
> > its happening. This adds pid,
On Thu, Oct 12, 2017 at 3:57 PM, Steve Grubb wrote:
> There are very important fields necessary to understand who is adding
> audit rules and a little more context about the environment in which
> its happening. This adds pid, uid, tty, subj, comm, and exe
> information to the event. These are req
There are very important fields necessary to understand who is adding
audit rules and a little more context about the environment in which
its happening. This adds pid, uid, tty, subj, comm, and exe
information to the event. These are required fields.
Signed-off-by: sgrubb
---
kernel/audit_watch
Richard Guy Briggs writes:
> A namespace cannot directly migrate from one container to another but
> could be assigned to a newly spawned container. A namespace can be
> moved from one container to another indirectly by having that namespace
> used in a second process in another container and th
Hello,
I've just released a new version of the audit daemon. It can be downloaded
from http://people.redhat.com/sgrubb/audit. It will also be in rawhide
soon. The ChangeLog is:
- Fix NULL ptr dereference in audispd plugin_dir parser
- Signed/unsigned cleanup
It was discovered that in a new inst
On 10/12/2017 7:14 AM, Richard Guy Briggs wrote:
> Containers are a userspace concept. The kernel knows nothing of them.
>
> The Linux audit system needs a way to be able to track the container
> provenance of events and actions. Audit needs the kernel's help to do
> this.
>
> Since the concept o
On Thursday, October 12, 2017 10:14:00 AM EDT Richard Guy Briggs wrote:
> Containers are a userspace concept. The kernel knows nothing of them.
>
> The Linux audit system needs a way to be able to track the container
> provenance of events and actions. Audit needs the kernel's help to do
> this.
Containers are a userspace concept. The kernel knows nothing of them.
The Linux audit system needs a way to be able to track the container
provenance of events and actions. Audit needs the kernel's help to do
this.
Since the concept of a container is entirely a userspace concept, a
registration
On Tuesday, October 10, 2017 6:35:32 PM EDT Steve Grubb wrote:
> Hello,
>
> I've just released a new version of the audit daemon. It can be downloaded
> from http://people.redhat.com/sgrubb/audit. It will also be in rawhide
> soon. The ChangeLog is:
>
> - Add support for ambient capability fields
13 matches
Mail list logo