Re: Not seeing access denied audit messages in restricted subdirectories

On Fri, 8 Nov 2019 13:39:58 -0700 "John T Olson" wrote: > Greetings, > > I have the following 2 audit rules set up: > > -a always,exit -F arch=b64 -S all -F exit=-EACCES -F dir=/gpfs/fs1 > -a always,exit -F arch=b64 -S all -F exit=-EPERM -F dir=/gpfs/fs1 > > I have a directory structure like t

Not seeing access denied audit messages in restricted subdirectories

Greetings, I have the following 2 audit rules set up: -a always,exit -F arch=b64 -S all -F exit=-EACCES -F dir=/gpfs/fs1 -a always,exit -F arch=b64 -S all -F exit=-EPERM -F dir=/gpfs/fs1 I have a directory structure like the following: (13:15:26) zippleback-vm1:~ # ls -la /gpfs/fs1/test/ tota

Re: [PATCH ghak90 V7 04/21] audit: convert to contid list to check for orch/engine ownership

On Fri, Oct 25, 2019 at 5:00 PM Richard Guy Briggs wrote: > On 2019-10-10 20:38, Paul Moore wrote: > > On Wed, Sep 18, 2019 at 9:24 PM Richard Guy Briggs wrote: > > > Store the audit container identifier in a refcounted kernel object that > > > is added to the master list of audit container ident

Re: [PATCH ghak90 V7 06/21] audit: contid limit of 32k imposed to avoid DoS

On Thu, Oct 24, 2019 at 5:23 PM Richard Guy Briggs wrote: > On 2019-10-10 20:38, Paul Moore wrote: > > On Fri, Sep 27, 2019 at 8:52 AM Neil Horman wrote: > > > On Wed, Sep 18, 2019 at 09:22:23PM -0400, Richard Guy Briggs wrote: > > > > Set an arbitrary limit on the number of audit container ident

Re: [PATCH ghak90 V7 08/21] audit: add contid support for signalling the audit daemon

On Fri, Oct 25, 2019 at 3:20 PM Richard Guy Briggs wrote: > On 2019-10-10 20:39, Paul Moore wrote: > > On Wed, Sep 18, 2019 at 9:25 PM Richard Guy Briggs wrote: > > > Add audit container identifier support to the action of signalling the > > > audit daemon. > > > > > > Since this would need to ad