On 2021-05-21 17:50, Paul Moore wrote:
> WARNING - This is a work in progress and should not be merged
> anywhere important. It is almost surely not complete, and while it
> probably compiles it likely hasn't been booted and will do terrible
> things. You have been warned.
>
> This patch adds ba
Thanks for the explanation guys, much appreciated!
On Fri, May 28, 2021 at 12:56 PM Richard Guy Briggs wrote:
>
> On 2021-05-28 11:26, Steve Grubb wrote:
> > On Friday, May 28, 2021 8:34:45 AM EDT Andreas Hasenack wrote:
> > > I wanted to place a file watch on a file, but with an auid filter,
> >
On Wed, May 26, 2021 at 4:19 PM Paul Moore wrote:
> ... If we moved the _entry
> and _exit calls into the individual operation case blocks (quick
> openat example below) so that only certain operations were able to be
> audited would that be acceptable assuming the high frequency ops were
> untouc
On 2021-05-28 11:26, Steve Grubb wrote:
> On Friday, May 28, 2021 8:34:45 AM EDT Andreas Hasenack wrote:
> > I wanted to place a file watch on a file, but with an auid filter,
> > i.e., I didn't want to log accesses done by a particular user. That is
> > not possible with -w, so we have to use a sy
On Friday, May 28, 2021 8:34:45 AM EDT Andreas Hasenack wrote:
> I wanted to place a file watch on a file, but with an auid filter,
> i.e., I didn't want to log accesses done by a particular user. That is
> not possible with -w, so we have to use a syscall rule.
>
> The manpage has many examples o
Hi,
I wanted to place a file watch on a file, but with an auid filter,
i.e., I didn't want to log accesses done by a particular user. That is
not possible with -w, so we have to use a syscall rule.
The manpage has many examples of such conversions, so here is what I would use:
-a always,exit -F
