On 14/10/21, Paul Moore wrote:
> On Tuesday, October 21, 2014 03:56:10 PM Steve Grubb wrote:
> > audit_log_task_info logs too much information for typical use. There are
> > times when you might want to know everything about what's connecting. But
> > in this case, we don't need anything about
On 14/10/21, Eric Paris wrote:
> On Tue, 2014-10-21 at 17:08 -0400, Richard Guy Briggs wrote:
> > On 14/10/21, Steve Grubb wrote:
> > > On Tuesday, October 07, 2014 03:03:14 PM Eric Paris wrote:
> > > > On Tue, 2014-10-07 at 14:23 -0400, Richard Guy Briggs wrote:
> > > > > Log the event when a
On Tuesday, October 21, 2014 06:30:29 PM Eric Paris wrote:
> I've always hated the fact that we include this in ANY current audit
> message. I truly believe we need two new record types.
>
> AUDIT_PROCESS_INFO
> AUDIT_EXTENDED_PROCESS_INFO
>
> What does my UID have to do with a syscall? Why is
On Tuesday, October 21, 2014 03:56:10 PM Steve Grubb wrote:
> audit_log_task_info logs too much information for typical use. There are
> times when you might want to know everything about what's connecting. But
> in this case, we don't need anything about groups, saved uids, fsuid, or
> ppid.
>
>
On Tue, 2014-10-21 at 17:08 -0400, Richard Guy Briggs wrote:
> On 14/10/21, Steve Grubb wrote:
> > On Tuesday, October 07, 2014 03:03:14 PM Eric Paris wrote:
> > > On Tue, 2014-10-07 at 14:23 -0400, Richard Guy Briggs wrote:
> > > > Log the event when a client attempts to connect to the netlink
On Tuesday, October 21, 2014 05:08:22 PM Richard Guy Briggs wrote:
> On 14/10/21, Steve Grubb wrote:
> > > super crazy yuck. audit_log_task_info() ??
> >
> > audit_log_task_info logs too much information for typical use. There are
> > times when you might want to know everything about what's
On 14/10/21, Steve Grubb wrote:
> On Tuesday, October 07, 2014 03:03:14 PM Eric Paris wrote:
> > On Tue, 2014-10-07 at 14:23 -0400, Richard Guy Briggs wrote:
> > > Log the event when a client attempts to connect to the netlink audit
> > > multicast socket, requiring CAP_AUDIT_READ capability,
On Tuesday, October 07, 2014 03:03:14 PM Eric Paris wrote:
> On Tue, 2014-10-07 at 14:23 -0400, Richard Guy Briggs wrote:
> > Log the event when a client attempts to connect to the netlink audit
> > multicast socket, requiring CAP_AUDIT_READ capability, binding to the
> > AUDIT_NLGRP_READLOG
On 14/10/07, Richard Guy Briggs wrote:
> On 14/10/07, Eric Paris wrote:
> > On Tue, 2014-10-07 at 14:23 -0400, Richard Guy Briggs wrote:
> > > Log the event when a client attempts to connect to the netlink audit
> > > multicast
> > > socket, requiring CAP_AUDIT_READ capability, binding to the
>
On 14/10/07, Richard Guy Briggs wrote:
On 14/10/07, Eric Paris wrote:
On Tue, 2014-10-07 at 14:23 -0400, Richard Guy Briggs wrote:
Log the event when a client attempts to connect to the netlink audit
multicast
socket, requiring CAP_AUDIT_READ capability, binding to the
On Tuesday, October 07, 2014 03:03:14 PM Eric Paris wrote:
On Tue, 2014-10-07 at 14:23 -0400, Richard Guy Briggs wrote:
Log the event when a client attempts to connect to the netlink audit
multicast socket, requiring CAP_AUDIT_READ capability, binding to the
AUDIT_NLGRP_READLOG group. Log
On 14/10/21, Steve Grubb wrote:
On Tuesday, October 07, 2014 03:03:14 PM Eric Paris wrote:
On Tue, 2014-10-07 at 14:23 -0400, Richard Guy Briggs wrote:
Log the event when a client attempts to connect to the netlink audit
multicast socket, requiring CAP_AUDIT_READ capability, binding to
On Tuesday, October 21, 2014 05:08:22 PM Richard Guy Briggs wrote:
On 14/10/21, Steve Grubb wrote:
super crazy yuck. audit_log_task_info() ??
audit_log_task_info logs too much information for typical use. There are
times when you might want to know everything about what's connecting.
On Tue, 2014-10-21 at 17:08 -0400, Richard Guy Briggs wrote:
On 14/10/21, Steve Grubb wrote:
On Tuesday, October 07, 2014 03:03:14 PM Eric Paris wrote:
On Tue, 2014-10-07 at 14:23 -0400, Richard Guy Briggs wrote:
Log the event when a client attempts to connect to the netlink audit
On Tuesday, October 21, 2014 03:56:10 PM Steve Grubb wrote:
audit_log_task_info logs too much information for typical use. There are
times when you might want to know everything about what's connecting. But
in this case, we don't need anything about groups, saved uids, fsuid, or
ppid.
Its a
On Tuesday, October 21, 2014 06:30:29 PM Eric Paris wrote:
I've always hated the fact that we include this in ANY current audit
message. I truly believe we need two new record types.
AUDIT_PROCESS_INFO
AUDIT_EXTENDED_PROCESS_INFO
What does my UID have to do with a syscall? Why is it in
On 14/10/21, Eric Paris wrote:
On Tue, 2014-10-21 at 17:08 -0400, Richard Guy Briggs wrote:
On 14/10/21, Steve Grubb wrote:
On Tuesday, October 07, 2014 03:03:14 PM Eric Paris wrote:
On Tue, 2014-10-07 at 14:23 -0400, Richard Guy Briggs wrote:
Log the event when a client attempts to
On 14/10/21, Paul Moore wrote:
On Tuesday, October 21, 2014 03:56:10 PM Steve Grubb wrote:
audit_log_task_info logs too much information for typical use. There are
times when you might want to know everything about what's connecting. But
in this case, we don't need anything about groups,
On Saturday, October 11, 2014 11:42:06 AM Steve Grubb wrote:
> On Tue, 07 Oct 2014 18:06:51 -0400
>
> Paul Moore wrote:
> > On Tuesday, October 07, 2014 03:39:51 PM Richard Guy Briggs wrote:
> > > I also thought of moving audit_log_task() from auditsc.c to audit.c
> > > and using that. For that
On Tue, 07 Oct 2014 18:06:51 -0400
Paul Moore wrote:
> On Tuesday, October 07, 2014 03:39:51 PM Richard Guy Briggs wrote:
> > I also thought of moving audit_log_task() from auditsc.c to audit.c
> > and using that. For that matter, both audit_log_task() and
> > audit_log_task_info() could use
On Tue, 07 Oct 2014 18:06:51 -0400
Paul Moore pmo...@redhat.com wrote:
On Tuesday, October 07, 2014 03:39:51 PM Richard Guy Briggs wrote:
I also thought of moving audit_log_task() from auditsc.c to audit.c
and using that. For that matter, both audit_log_task() and
audit_log_task_info()
On Saturday, October 11, 2014 11:42:06 AM Steve Grubb wrote:
On Tue, 07 Oct 2014 18:06:51 -0400
Paul Moore pmo...@redhat.com wrote:
On Tuesday, October 07, 2014 03:39:51 PM Richard Guy Briggs wrote:
I also thought of moving audit_log_task() from auditsc.c to audit.c
and using that.
On Tuesday, October 07, 2014 03:39:51 PM Richard Guy Briggs wrote:
> I also thought of moving audit_log_task() from auditsc.c to audit.c
> and using that. For that matter, both audit_log_task() and
> audit_log_task_info() could use audit_log_session_info(), but they are
> in slightly different
On 14/10/07, Eric Paris wrote:
> On Tue, 2014-10-07 at 14:23 -0400, Richard Guy Briggs wrote:
> > Log the event when a client attempts to connect to the netlink audit
> > multicast
> > socket, requiring CAP_AUDIT_READ capability, binding to the
> > AUDIT_NLGRP_READLOG
> > group. Log the
On Tue, 2014-10-07 at 14:23 -0400, Richard Guy Briggs wrote:
> Log the event when a client attempts to connect to the netlink audit multicast
> socket, requiring CAP_AUDIT_READ capability, binding to the
> AUDIT_NLGRP_READLOG
> group. Log the disconnect too.
>
> Sample output:
> time->Tue Oct
Log the event when a client attempts to connect to the netlink audit multicast
socket, requiring CAP_AUDIT_READ capability, binding to the AUDIT_NLGRP_READLOG
group. Log the disconnect too.
Sample output:
time->Tue Oct 7 14:15:19 2014
type=UNKNOWN[1348] msg=audit(1412705719.316:117): auid=0
Log the event when a client attempts to connect to the netlink audit multicast
socket, requiring CAP_AUDIT_READ capability, binding to the AUDIT_NLGRP_READLOG
group. Log the disconnect too.
Sample output:
time-Tue Oct 7 14:15:19 2014
type=UNKNOWN[1348] msg=audit(1412705719.316:117): auid=0
On Tue, 2014-10-07 at 14:23 -0400, Richard Guy Briggs wrote:
Log the event when a client attempts to connect to the netlink audit multicast
socket, requiring CAP_AUDIT_READ capability, binding to the
AUDIT_NLGRP_READLOG
group. Log the disconnect too.
Sample output:
time-Tue Oct 7
On 14/10/07, Eric Paris wrote:
On Tue, 2014-10-07 at 14:23 -0400, Richard Guy Briggs wrote:
Log the event when a client attempts to connect to the netlink audit
multicast
socket, requiring CAP_AUDIT_READ capability, binding to the
AUDIT_NLGRP_READLOG
group. Log the disconnect too.
On Tuesday, October 07, 2014 03:39:51 PM Richard Guy Briggs wrote:
I also thought of moving audit_log_task() from auditsc.c to audit.c
and using that. For that matter, both audit_log_task() and
audit_log_task_info() could use audit_log_session_info(), but they are
in slightly different order
30 matches
Mail list logo