Hello,
I wanted to take a few minutes to chat about the future audit roadmap.
The release of audit-2.8.3 represents a breaking point. Its time for
changes. Some of these changes are going to modify configuration files.
And new things that may not be compatible with the old will be
introduced. So,
Hello,
I've just released a new version of the audit daemon. It can be
downloaded from http://people.redhat.com/sgrubb/audit. It will also be
in rawhide soon. The ChangeLog is:
- Correct msg function name in lru debug code
- Fix a segfault in auditd when dns resolution isn't available
- Make a re
On Wed, 7 Mar 2018 18:43:42 -0500
Paul Moore wrote:
> ... and I just realized that linux-audit isn't on the To/CC line,
> adding them now.
>
> Link to the patch is below.
>
> * https://marc.info/?t=15204188763&r=1&w=2
Yes...I wished I was in on the beginning of this discussion. Here's the
p
On Mon, 5 Mar 2018 03:06:44 + (UTC)
Rakesh wrote:
> Hi Steve,
> Thanks for taking the time to look at it. I have been following the
> conversation on adding container support to audit, however I am not
> looking for container id in the event. I did some more tests and find
> it works as expec
On Sat, 3 Mar 2018 08:52:04 + (UTC)
Rakesh wrote:
> Hello Auditd'ers,
>
>
>
> I am running a privileged container with pid, net, uts space shared
> with the host. The need is to be able to set file watch rules from
> the container say -k /etc -p rw -k containter_rule and then look for
> re
On Tuesday, February 27, 2018 5:20:58 AM EST Richard Guy Briggs wrote:
> Under the NAME section, the function listed is incorrect. Fix it.
>
> Signed-off-by: Richard Guy Briggs
Applied. Thanks!
-Steve
--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/l
On Wednesday, February 21, 2018 4:08:25 PM EST Paul Moore wrote:
> On February 21, 2018 11:19:09 AM Greg Edwards wrote:
> > If you pass in an invalid audit kernel boot parameter, e.g. 'audit=off',
> > the kernel panics very early in boot with no output on the console
> > indicating the problem.
>
On Monday, February 12, 2018 12:02:21 AM EST Richard Guy Briggs wrote:
> Tracefs or debugfs were causing hundreds to thousands of null PATH
> records to be associated with the init_module and finit_module SYSCALL
> records on a few modules when the following rule was in place for
> startup:
>
On Wednesday, February 14, 2018 11:18:20 AM EST Richard Guy Briggs wrote:
> Audit link denied events were being unexpectedly produced in a disjoint
> way when audit was disabled, and when they were expected, there were
> duplicate PATH records. This patchset addresses both issues for
> symlinks an
On Monday, January 15, 2018 9:52:07 AM EST Joshua Ammons wrote:
> Hello All,
>
> Just thought I'd give this one more shot to see if anyone had any comments
> on my prior message (see below)? Any input you have would be greatly
> appreciated. I won't bother the group any more on this topic.
Not
Hello,
On Wednesday, January 10, 2018 5:41:03 PM EST Joshua Ammons wrote:
> I wanted to check if anyone was aware of a setting on RedHat box for
> enabling the PROCTITLE event type for audit logs?
Nope.
> Is there any difference between RedHat and CentOS?
I have seen studies that show there are
; On Mon, Jan 8, 2018 at 6:23 PM, Richard Guy Briggs wrote:
> > On 2018-01-05 13:07, Steve Grubb wrote:
> > > On Friday, January 5, 2018 6:00:01 AM EST madz car wrote:
> > > > Hi Guys,
> > > >
> > > > Please refer to the issue details at github :
On Friday, January 5, 2018 6:00:01 AM EST madz car wrote:
> Hi Guys,
>
> Please refer to the issue details at github :
> https://github.com/linux-audit/audit-kernel/issues/68
>
> Here is a patch as suggested by rgb, i can confirm that it works.
By hooking this function, doesn't this change the r
ary Report
=
total file
=
209843 /usr/lib64/firefox/firefox
2196 /usr/lib64/qt5/libexec/QtWebEngineProcess
Has anyone looked at it beyond pseudo code?
-Steve
On Friday, December 15, 2017 11:02:19 AM EST Steve Grubb wrote:
> On Thursday, Decemb
On Friday, December 22, 2017 4:02:41 PM EST Paul Moore wrote:
> On Fri, Dec 22, 2017 at 3:01 PM, Casey Schaufler
wrote:
> > The audit rule field types AUDIT_SUBJ_* and AUDIT_OBJ_* are
> > defined generically and used by both SELinux and Smack to identify
> > fields that are interesting to them. I
On Friday, December 22, 2017 3:01:24 PM EST Casey Schaufler wrote:
> The audit rule field types AUDIT_SUBJ_* and AUDIT_OBJ_* are
> defined generically and used by both SELinux and Smack to identify
> fields that are interesting to them. If SELinux and Smack are running
> concurrently both modules w
On Tuesday, December 19, 2017 2:49:08 PM EST Mor, Omri wrote:
> >> sanity_check_queue() attempts to call msg(), which as far as I can tell
> >> isn’t defined. It appears that this should be syslog() or audit_msg()
> >> instead.
> >> This causes compilation failure when DEBUG is defined.
> >
> > Th
Hello,
On Monday, December 18, 2017 2:37:53 PM EST Yectli Huerta wrote:
> unhide reports that there are ports that are not being seeing by ss. i
> also used lsof and netstat and they don't show up.
>
> [~] % sudo unhide-tcp
> Unhide-tcp 20130526
> Copyright © 2013 Yago Jesus & Patrick Gouin
> Lic
On Sunday, December 17, 2017 8:19:14 PM EST Mor, Omri wrote:
> sanity_check_queue() attempts to call msg(), which as far as I can
tell
> isn’t defined. It appears that this should be syslog() or audit_msg()
> instead.
> This causes compilation failure when DEBUG is defined.
Thanks for reporting t
On Friday, December 15, 2017 10:47:14 AM EST Tyler Hicks wrote:
> > Looks good to me but two things:
> >
> > * Change the name of __audit_seccomp() to audit_seccomp() since we don't
> > have two functions anymore.
> >
> > * Are we sure about removing the audit_enabled check? People got pretty
> >
On Thursday, December 14, 2017 6:06:30 PM EST Tyler Hicks wrote:
> On 12/14/2017 09:19 AM, Steve Grubb wrote:
> > On Thursday, December 14, 2017 10:04:48 AM EST Tyler Hicks wrote:
> >> On 12/13/2017 05:58 PM, Steve Grubb wrote:
> >> > Over the last month, the amount o
Hello,
I've just released a new version of the audit daemon. It can be downloaded
from http://people.redhat.com/sgrubb/audit. It will also be in rawhide
soon. The ChangeLog is:
- Update tables for 4.14 kernel
- Fixup ipv6 server side binding
- AVC report from aureport was missing result column h
On Thursday, December 14, 2017 7:42:26 AM EST Paul Moore wrote:
> >> Looking at the kernel code, it looks like the actions_logged knob
> >> isn't really intended to filter/drop seccomp events,
> >
> > That's unfortunate. I thought this was a way to suppress generation of
> > events. We have a requ
On Thursday, December 14, 2017 10:04:48 AM EST Tyler Hicks wrote:
> On 12/13/2017 05:58 PM, Steve Grubb wrote:
> > Over the last month, the amount of seccomp events in audit logs is
> > sky-rocketing. I have over a million events in the last 2 days. Most of
> > this is genera
On Wednesday, December 13, 2017 8:43:38 PM EST Paul Moore wrote:
> On Wed, Dec 13, 2017 at 7:31 PM, Steve Grubb wrote:
> > On Wednesday, December 13, 2017 7:16:47 PM EST Kees Cook wrote:
> >> On Wed, Dec 13, 2017 at 3:58 PM, Steve Grubb wrote:
> >> > Hello,
>
On Wednesday, December 13, 2017 7:16:47 PM EST Kees Cook wrote:
> On Wed, Dec 13, 2017 at 3:58 PM, Steve Grubb wrote:
> > Hello,
> >
> > Over the last month, the amount of seccomp events in audit logs is
> > sky-rocketing. I have over a million events in the last
Hello,
Over the last month, the amount of seccomp events in audit logs is
sky-rocketing. I
have over a million events in the last 2 days. Most of this is generated by
firefox and
qt webkit.
I am wondering if the audit package should ship a file for
/usr/lib/sysctl.d/60-auditd.conf
wherein i
On Monday, December 11, 2017 3:56:35 PM EST Casey Schaufler wrote:
> On 12/11/2017 7:44 AM, Steve Grubb wrote:
> > On Wednesday, December 6, 2017 1:47:43 PM EST Casey Schaufler wrote:
> >>> While it will be potentially painful to switch, the AppArmor project is
> >>
On Monday, December 11, 2017 11:30:57 AM EST Eric Paris wrote:
> > Because a container doesn't have to use namespaces to be a container
> > you still need a mechanism for a process to declare that it is in
> > fact
> > in a container, and to identify the container.
>
> I like the idea but I'm stil
On Wednesday, December 6, 2017 1:47:43 PM EST Casey Schaufler wrote:
> > While it will be potentially painful to switch, the AppArmor project is
> > considering to use a unique range in order for audit-userspace to
> > support AppArmor audit records. IMHO, SMACK would be free to continue
> > using
e potentially painful to switch, the AppArmor project is
> considering to use a unique range in order for audit-userspace to
> support AppArmor audit records. IMHO, SMACK would be free to continue
> using 1400-1499 as long as they don't need audit-userspace support and
> SELinux wo
ose messages
> about journal and everything appears to run as expected.
I have never looked at journald code and have no idea how it works or why it
cares about audit events. My advice last email was to break the link if its
causing problems.
-Steve
> On 10/19/2017 04:13 PM, Steve Grubb
Hello,
The ausearch test suite has been updated to do improved testing with new user
space audit packages. The minimum version that it can be used with is
audit-2.8. This is because the socket address representation was changed a
little in 2.8.
The new version can be found here:
http://people.
On Monday, November 27, 2017 5:41:32 PM EST Richard Guy Briggs wrote:
> On 2017-11-27 17:16, Steve Grubb wrote:
> > On Wednesday, November 22, 2017 7:00:56 PM EST Richard Guy Briggs wrote:
> > > This reverts commit 56a708761347ba49ccdc2378d31133f01129f4f2.
> > >
>
On Wednesday, November 22, 2017 7:00:56 PM EST Richard Guy Briggs wrote:
> This reverts commit 56a708761347ba49ccdc2378d31133f01129f4f2.
>
> Conflicts:
> ChangeLog
> ---
> ChangeLog | 1 +
> src/auditctl.c | 7 ---
> 2 files changed, 5 insertions(+), 3 deletions(-)
>
> diff --git
On Wednesday, November 22, 2017 7:00:57 PM EST Richard Guy Briggs wrote:
> The kernel always returns negative values on error, so zero and anything
> positive is valid success. Lost_reset returned a positive value at the
> time of reset, including zero that got interpreted as success and
> replace
On Wednesday, November 15, 2017 12:06:31 PM EST LC Bruzenak wrote:
> On 11/14/2017 05:38 PM, LC Bruzenak wrote:
> > System:
> > Linux audit 2.6.32-696.3.2.el6.x86_64 #1 SMP Wed Jun 7 11:51:39 EDT
> > 2017 x86_64 x86_64 x86_64 GNU/Linux
> > userspace audit-2.4.5-3
> > Red Hat Enterprise Linux Client
Hello,
On Tuesday, November 14, 2017 8:29:34 AM EST Maupertuis Philippe wrote:
> The auditd rules for PCI reads :
> ## 10.2.2 Log administrative action. To meet this, you need to enable tty
> ## logging. The pam config below should be placed into su and sudo pam
> stacks. ## session required pam
> On Mon, Nov 13, 2017 at 3:12 PM, Steve Grubb wrote:
> > On Friday, November 10, 2017 1:32:34 PM EST warron.french wrote:
> > > Steve, can you help me with this please?
> > > Somehow this slipped past our QA process, but I have an error popping up
> >
>
On Friday, November 10, 2017 1:32:34 PM EST warron.french wrote:
> Steve, can you help me with this please?
> Somehow this slipped past our QA process, but I have an error popping up in
> */var/log/boot.log* indicating:
>
> *28* Starting auditd: ^[[60G[^[[0;32m OK ^[[0;39m]^M
> * 29* Error send
On Thursday, November 9, 2017 3:52:46 PM EST Richard Guy Briggs wrote:
> > >> > It might be simplest to just apply a corrective patch over top of
> > >> > this one so that you don't have to muck about with git branches and
> > >> > commit messages.
> > >>
> > >> A quick note on the "corrective pat
On Thursday, November 9, 2017 10:18:10 AM EST Paul Moore wrote:
> On Wed, Nov 8, 2017 at 6:29 PM, Steve Grubb wrote:
> > On Wednesday, September 20, 2017 12:52:32 PM EST Paul Moore wrote:
> >> On Wed, Aug 23, 2017 at 7:03 AM, Richard Guy Briggs
wrote:
> >> > T
On Wednesday, September 20, 2017 12:52:32 PM EST Paul Moore wrote:
> On Wed, Aug 23, 2017 at 7:03 AM, Richard Guy Briggs wrote:
> > Tracefs or debugfs were causing hundreds to thousands of null PATH
> > records to be associated with the init_module and finit_module SYSCALL
> > records on a few mod
Hello,
On Sun, 22 Oct 2017 19:12:34 +0300
Lev Olshvang wrote:
> Hello List,
>
> I work on Ubuntu 16.10 kernel 4.8 with audit v2.7.7, and we wrote
> plugin who get its input from audispd
> This plugin process audit messages, mostly syscalls.
>
> In out test we saw that malloc of auditd tooks
On Thursday, October 19, 2017 7:11:33 PM EDT Aleksa Sarai wrote:
> >>> The registration is a pseudo filesystem (proc, since PID tree already
> >>> exists) write of a u8[16] UUID representing the container ID to a file
> >>> representing a process that will become the first process in a new
> >>> co
On Thursday, October 19, 2017 1:08:22 PM EDT Brad Zynda wrote:
> >> grep perm_mod /etc/audit/audit.rules
> >> -a always,exit -F arch=b64 -S chmod -S fchmod -S fchmodat -F auid>=1000
> >> -F auid!=4294967295 -k perm_mod
> >> -a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=1000
> >
On Wednesday, October 18, 2017 12:32:15 PM EDT Brad Zynda wrote:
> On 10/18/2017 12:26 PM, Steve Grubb wrote:
> > On Wednesday, October 18, 2017 12:13:13 PM EDT Brad Zynda wrote:
> >> So now you have to comment out a rule at a time and watch for
> >> usage/count t
On Wednesday, October 18, 2017 6:31:47 PM EDT Paul Moore wrote:
> > auditd_pid = auditd_pid_vnr();
> > - /* only the current auditd can unregister itself
> > */
> > - if ((!new_pid) && (new_pid != auditd_pid)) {
> > - audit_l
On Wednesday, October 18, 2017 1:19:45 PM EDT Valerio Ramicone wrote:
> I would like to have a list of issues from libaudit. Is there a database?
Nope. Grepping through the ChangeLog also shows very little. Its most adding
features. You can also browse the source online and look at the blame view
On Wednesday, October 18, 2017 12:13:13 PM EDT Brad Zynda wrote:
> So now you have to comment out a rule at a time and watch for
> usage/count to fall?
Well, I am certain that commenting out that rule will drop the count. But the
question more is why is that rule being triggered. One thing you co
On Wednesday, October 18, 2017 11:14:31 AM EDT Brad Zynda wrote:
> Here is an output from the server with PATH audit type re-allowed
> (everything back to normal):
>
> Key Summary Report
> ===
> total key
> ===
> 6019 perm_mod
> 3878 delete
> 964
On Tuesday, October 17, 2017 1:57:43 PM EDT James Bottomley wrote:
> > > > The idea is that processes spawned into a container would be
> > > > labelled by the container orchestration system. It's unclear
> > > > what should happen to processes using nsenter after the fact, but
> > > > policy for
: https://github.com/linux-audit/audit-kernel/issues/59
Signed-off-by: Steve Grubb
Reviewed-by: Richard Guy Briggs
---
kernel/audit_watch.c | 24
kernel/auditfilter.c | 19 ---
2 files changed, 36 insertions(+), 7 deletions(-)
diff --git a/kernel
The API to end auditing has historically been for auditd to set the
pid to 0. This patch restores that functionality.
See: https://github.com/linux-audit/audit-kernel/issues/69
Reviewed-by: Richard Guy Briggs
Signed-off-by: Steve Grubb
---
kernel/audit.c | 29 -
1
On Tuesday, October 17, 2017 12:43:18 PM EDT Casey Schaufler wrote:
> > The idea is that processes spawned into a container would be labelled
> > by the container orchestration system. It's unclear what should happen
> > to processes using nsenter after the fact, but policy for that should
> > be
o.
> In regards to the audit.socket what is the expected outcome of masking
> this service?
The expected outcome is that journald stops getting audit records. It doesn't
solve the problem of why you are getting so many events. Fixing the rule does
that.
-Steve
> On 10/17/2017 11
On Tuesday, October 17, 2017 11:11:31 AM EDT Paul Moore wrote:
> On Mon, Oct 16, 2017 at 6:28 PM, Steve Grubb wrote:
> > On Monday, October 16, 2017 6:06:47 PM EDT Steve Grubb wrote:
> >> > > +/* Log information about who is connecting to the audit multicast
> >&g
Hello,
I apologize for the late reply...just found the message.
On Monday, October 2, 2017 1:30:19 PM EDT Brad Zynda wrote:
> I am sending along an issue brought to the systemd-journald dev list
> initially:
>
> On 10/02/2017 11:40 AM, Lennart Poettering wrote:
> > On Mo, 02.10.17 11:25, Brad Zy
On Monday, October 16, 2017 7:04:14 PM EDT Richard Guy Briggs wrote:
> On 2017-10-16 22:28, Steve Grubb wrote:
> > On Monday, October 16, 2017 6:06:47 PM EDT Steve Grubb wrote:
> > > > > +/* Log information about who is connecting to the audit multicast
> > > >
On Monday, October 16, 2017 1:21:50 PM EDT Kevin Sullivan wrote:
> Sorry if this topic has already been discussed, but I was unable to find
> information about it in the mailing list.
>
> I am running auditd on a machine that is configured with readonly-root
> support. For this configuration to wo
On Monday, October 16, 2017 8:33:40 PM EDT Richard Guy Briggs wrote:
> On 2017-10-12 16:33, Casey Schaufler wrote:
> > On 10/12/2017 7:14 AM, Richard Guy Briggs wrote:
> > > Containers are a userspace concept. The kernel knows nothing of them.
> > >
> > > The Linux audit system needs a way to be
On Monday, October 16, 2017 6:06:47 PM EDT Steve Grubb wrote:
> > > +/* Log information about who is connecting to the audit multicast
> > > socket
> > > */ +static void audit_log_multicast_bind(int group, const char *op, int
> > > err) +{
&
On Monday, October 16, 2017 5:35:55 PM EDT Paul Moore wrote:
> On Fri, Oct 13, 2017 at 3:58 PM, Steve Grubb wrote:
> > Log information about programs connecting and disconnecting to the audit
> > netlink multicast socket. This is needed so that during investigations a
> >
On Monday, October 16, 2017 11:27:06 AM EDT Richard Guy Briggs wrote:
> On 2017-10-13 21:11, Paul Moore wrote:
> > On Fri, Oct 13, 2017 at 3:54 PM, Richard Guy Briggs
wrote:
> > > Since these are already standalone records (since the context passed to
> > > audit_log_start() is NULL) this info is
On Monday, October 16, 2017 3:15:03 PM EDT Paul Moore wrote:
> >> > The audit subsystem allows selecting audit events based on watches for
> >> > a particular behavior like writing to a file. A lot of syscalls have
> >> > been added without updating the list. This patch adds 2 syscalls to the
> >>
On Monday, October 16, 2017 3:10:59 PM EDT Paul Moore wrote:
> On Thu, Oct 12, 2017 at 11:24 PM, Steve Grubb wrote:
> > The audit subsystem allows selecting audit events based on watches for
> > a particular behavior like writing to a file. A lot of syscalls have
> > been a
Log information about programs connecting and disconnecting to the audit
netlink multicast socket. This is needed so that during investigations a
security officer can tell who or what had access to the audit trail. This
helps to meet the FAU_SAR.2 requirement for Common Criteria. Sample
event:
typ
The API to end auditing has historically been for auditd to set the
pid to 0. This patch restores that functionality.
Signed-off-by: sgrubb
---
kernel/audit.c | 7 ---
1 file changed, 4 insertions(+), 3 deletions(-)
diff --git a/kernel/audit.c b/kernel/audit.c
index 6dd556931739..1baabc9539
The audit subsystem allows selecting audit events based on watches for
a particular behavior like writing to a file. A lot of syscalls have
been added without updating the list. This patch adds 2 syscalls to the
write filters: fallocate and renameat2.
Signed-off-by: sgrubb
---
include/asm-generi
On Thursday, October 12, 2017 6:51:19 PM EDT Paul Moore wrote:
> On Thu, Oct 12, 2017 at 6:13 PM, Steve Grubb wrote:
> > On Thursday, October 12, 2017 5:04:41 PM EDT Paul Moore wrote:
> >> Another reminder that in general I'm not going to accept patches that
> >&
On Thursday, October 12, 2017 5:04:41 PM EDT Paul Moore wrote:
> On Thu, Oct 12, 2017 at 3:57 PM, Steve Grubb wrote:
> > There are very important fields necessary to understand who is adding
> > audit rules and a little more context about the environment in which
> > its hap
There are very important fields necessary to understand who is adding
audit rules and a little more context about the environment in which
its happening. This adds pid, uid, tty, subj, comm, and exe
information to the event. These are required fields.
Signed-off-by: sgrubb
---
kernel/audit_watch
Hello,
I've just released a new version of the audit daemon. It can be downloaded
from http://people.redhat.com/sgrubb/audit. It will also be in rawhide
soon. The ChangeLog is:
- Fix NULL ptr dereference in audispd plugin_dir parser
- Signed/unsigned cleanup
It was discovered that in a new inst
On Thursday, October 12, 2017 10:14:00 AM EDT Richard Guy Briggs wrote:
> Containers are a userspace concept. The kernel knows nothing of them.
>
> The Linux audit system needs a way to be able to track the container
> provenance of events and actions. Audit needs the kernel's help to do
> this.
On Tuesday, October 10, 2017 6:35:32 PM EDT Steve Grubb wrote:
> Hello,
>
> I've just released a new version of the audit daemon. It can be downloaded
> from http://people.redhat.com/sgrubb/audit. It will also be in rawhide
> soon. The ChangeLog is:
>
> - Add supp
Hello,
I've just released a new version of the audit daemon. It can be downloaded
from http://people.redhat.com/sgrubb/audit. It will also be in rawhide
soon. The ChangeLog is:
- Add support for ambient capability fields (Richard Guy Briggs)
- Update auparse-normalizer to support TTY events
- Ad
On Thursday, September 7, 2017 6:36:32 PM EDT Paul Moore wrote:
> On Wed, Aug 23, 2017 at 7:03 AM, Richard Guy Briggs wrote:
> > Tracefs or debugfs were causing hundreds to thousands of PATH records to
> > be associated with the init_module and finit_module SYSCALL records on a
> >
> > few module
H records
> that are not of interest. .LP
>
> .PP
> diff --git a/lib/errormsg.h b/lib/errormsg.h
> index 91d8252..ef54589 100644
> --- a/lib/errormsg.h
> +++ b/lib/errormsg.h
> @@ -20,6 +20,7 @@
> * Authors:
> * Zhang Xiliang
> * Steve Grubb
>
orward. Immediate mode does not use
it.
> On Wed, Oct 4, 2017 at 8:49 PM, Steve Grubb wrote:
> > On Wednesday, October 4, 2017 10:01:49 AM EDT Rituraj Buddhisagar wrote:
> > > Hi Steve / List
> > >
> > > Now, I have built auditd from source as per the ma
s. Also set name_format = hostname in auditd.conf of
the server.
I would not recommend setting the name in audispd.conf for any system.
-Steve
> I did my best reading on net and debugging this - but no success. Please
> help.
>
> On Wed, Oct 4, 2017 at 1:52 AM, Steve Grubb wr
On Tuesday, October 3, 2017 4:00:27 PM EDT Rituraj Buddhisagar wrote:
> Steve,
>
> Here is the relevant discussion on disabling the tcp listener on Ubuntu.
> https://www.redhat.com/archives/linux-audit/2012-September/msg00027.html
>
> I do not know what exactly caused change - but now I think it
# ALL: .foobar.edu EXCEPT terminalserver.foobar.edu
> #
> # If you're going to protect the portmapper use the name "rpcbind" for the
> # daemon name. See rpcbind(8) and rpc.mountd(8) for further information.
> #
>
> ALL: ALL
> root@guslogs:/etc/a
On Monday, October 2, 2017 11:31:15 PM EDT Rituraj Buddhisagar wrote:
> P
> lease see inline-
>
> regards
>
>
> On Tue, Oct 3, 2017 at 3:28 AM, Steve Grubb wrote:
> > On Monday, October 2, 2017 2:55:51 PM EDT Rituraj Buddhisagar wrote:
> > > Hi
> >
Hello,
The fanotify interface allows user space daemons to make access
control decisions. Under common criteria requirements, we need to
optionally record decisions based on policy. This patch adds a bit mask,
FAN_AUDIT, that a user space daemon can 'or' into the response decision
which will tell
On Monday, October 2, 2017 2:55:51 PM EDT Rituraj Buddhisagar wrote:
> Hi
>
> I tried my best to configure the audisp-remote.
> I am getting below error on the client machine in /var/log/syslog.
>
> Oct 2 14:41:15 xx audisp-remote: Error connecting to 192.168.103.7:
> Connection refused
On
On Saturday, September 30, 2017 8:48:23 AM EDT you wrote:
> Re: why I have lost messages on boot even with very big backlog while I
> hunting only 2 syscalls?
> From: Lev Olshvang
> To: Me
> CC: "linux-audit@redhat.com"
> Date: 9/30/17 8:48 AM
>
&g
Hello,
On Thursday, September 28, 2017 4:51:38 AM EDT Lev Olshvang wrote:
> 28.09.2017, 00:32, "Steve Grubb" :
> > On Wednesday, September 27, 2017 4:41:29 PM EDT Lev Olshvang wrote:
> >> Hello list !
> >>
> >> A very technical question
> &
On Wednesday, September 27, 2017 4:41:29 PM EDT Lev Olshvang wrote:
> Hello list !
>
> A very technical question
> I have Ubuntu 16.10 Virtual Box , auditd 2.7.8
> I have audit=1 parameter in grub.cfg
> I see that /proc/cmdline indeed sees it
>
> I see that auditd is started with PID 564
>
> roo
Hello,
The fanotify interface allows user space daemons to make access
control decisions. Under common criteria requirements, we need to
optionally record decisions based on policy. This patch adds a bit mask,
FAN_AUDIT, that a user space daemon can 'or' into the response decision
which will tell
Hello,
The fanotify interface allows user space daemons to make access
control decisions. Under common criteria requirements, we need to
optionally record decisions based on policy. This patch adds a bit mask,
FAN_AUDIT, that a user space daemon can 'or' into the response decision
which will tell
Hello,
The fanotify interface allows user space daemons to make access
control decisions. Under common criteria requirements, we need to
optionally record decisions based on policy. This patch adds a bit mask,
FAN_AUDIT, that a user space daemon can 'or' into the response decision
which will tell
On Monday, September 25, 2017 2:49:19 PM EDT Amir Goldstein wrote:
> On Mon, Sep 25, 2017 at 6:19 PM, Steve Grubb wrote:
> > Hello,
> >
> > The fanotify interface allows user space daemons to make access
> > control decisions. Under common criteria requirements, we ne
Hello,
The fanotify interface allows user space daemons to make access
control decisions. Under common criteria requirements, we need to
optionally record decisions based on policy. This patch adds a bit mask,
FAN_AUDIT, that a user space daemon can 'or' into the response decision
which will tell
On Monday, September 25, 2017 12:43:28 AM EDT Amir Goldstein wrote:
> On Sun, Sep 24, 2017 at 11:25 PM, Steve Grubb wrote:
> > Hello,
> >
> > The fanotify interface allows user space daemons to make access
> > control decisions. Under common criteria requirements
Hello,
The fanotify interface allows user space daemons to make access
control decisions. Under common criteria requirements, we need to
optionally record decisions based on policy. This patch adds a bit mask,
FAN_AUDIT, that a user space daemon can 'or' into the response decision
which will tell
>
> Thanks!
>
>
>
> Best Regards,
> Rituraj B
>
> On Sat, Sep 23, 2017 at 11:46 PM, Steve Grubb wrote:
> > On Saturday, September 23, 2017 10:08:40 AM EDT Rituraj Buddhisagar wrote:
> > > Continued...from previous mail of mine..
> > >
> >
s and also on
> > components like audisp / audisp-remote. So reading more ..
> >
> >
> > Best Regards,
> > Rituraj B
> >
> > On Fri, Sep 22, 2017 at 10:17 PM, Steve Grubb wrote:
> >> Hello,
> >>
> >> On Friday, September 22, 2
Hello,
On Friday, September 22, 2017 1:09:19 AM EDT Rituraj Buddhisagar wrote:
> I have a DNS server for which the auditd was generating lot of system calls
> and flooding the logs.
> Due to this the server was under heavy memory usage as audisp-remote was
> hogging the memory. The log output fo
Hello Jan,
On Friday, September 8, 2017 6:55:45 AM EDT Jan Kara wrote:
> Hello Steve,
>
> On Thu 07-09-17 11:47:35, Steve Grubb wrote:
> > > > On Thursday, September 7, 2017 6:18:05 AM EDT Jan Kara wrote:
> > > On Wed 06-09-17 13:34:32, Steve Grubb wrote:
> >
On Monday, August 21, 2017 12:01:43 PM EDT Maupertuis Philippe wrote:
> Hi,
> I was toying with the audit pci configuration.
> I opened a root session with sudo in which I just typed C-r nss to retrieve
> the command "less /etc/nsswitch.conf" from the bash_history. The text
> format, as shown below
501 - 600 of 2654 matches
Mail list logo
