Re: [RFC][PATCH] audit: log join and part events to the read-only multicast log socket

On 14/10/21, Paul Moore wrote: > On Tuesday, October 21, 2014 03:56:10 PM Steve Grubb wrote: > > audit_log_task_info logs too much information for typical use. There are > > times when you might want to know everything about what's connecting. But > > in this case, we don't need anything about grou

Re: [RFC][PATCH] audit: log join and part events to the read-only multicast log socket

On 14/10/21, Eric Paris wrote: > On Tue, 2014-10-21 at 17:08 -0400, Richard Guy Briggs wrote: > > On 14/10/21, Steve Grubb wrote: > > > On Tuesday, October 07, 2014 03:03:14 PM Eric Paris wrote: > > > > On Tue, 2014-10-07 at 14:23 -0400, Richard Guy Briggs wrote: > > > > > Log the event when a clie

Re: [RFC][PATCH] audit: log join and part events to the read-only multicast log socket

On Tuesday, October 21, 2014 06:30:29 PM Eric Paris wrote: > I've always hated the fact that we include this in ANY current audit > message. I truly believe we need two new record types. > > AUDIT_PROCESS_INFO > AUDIT_EXTENDED_PROCESS_INFO > > What does my UID have to do with a syscall? Why is

Re: [RFC][PATCH] audit: log join and part events to the read-only multicast log socket

On Tuesday, October 21, 2014 03:56:10 PM Steve Grubb wrote: > audit_log_task_info logs too much information for typical use. There are > times when you might want to know everything about what's connecting. But > in this case, we don't need anything about groups, saved uids, fsuid, or > ppid. > >

Re: [RFC][PATCH] audit: log join and part events to the read-only multicast log socket

On Tue, 2014-10-21 at 17:08 -0400, Richard Guy Briggs wrote: > On 14/10/21, Steve Grubb wrote: > > On Tuesday, October 07, 2014 03:03:14 PM Eric Paris wrote: > > > On Tue, 2014-10-07 at 14:23 -0400, Richard Guy Briggs wrote: > > > > Log the event when a client attempts to connect to the netlink aud

Re: [RFC][PATCH] audit: log join and part events to the read-only multicast log socket

On Tuesday, October 21, 2014 05:08:22 PM Richard Guy Briggs wrote: > On 14/10/21, Steve Grubb wrote: > > > super crazy yuck. audit_log_task_info() ?? > > > > audit_log_task_info logs too much information for typical use. There are > > times when you might want to know everything about what's conn

Re: [RFC][PATCH] audit: log join and part events to the read-only multicast log socket

On 14/10/21, Steve Grubb wrote: > On Tuesday, October 07, 2014 03:03:14 PM Eric Paris wrote: > > On Tue, 2014-10-07 at 14:23 -0400, Richard Guy Briggs wrote: > > > Log the event when a client attempts to connect to the netlink audit > > > multicast socket, requiring CAP_AUDIT_READ capability, bindi

Re: [RFC][PATCH] audit: log join and part events to the read-only multicast log socket

On Tuesday, October 07, 2014 03:03:14 PM Eric Paris wrote: > On Tue, 2014-10-07 at 14:23 -0400, Richard Guy Briggs wrote: > > Log the event when a client attempts to connect to the netlink audit > > multicast socket, requiring CAP_AUDIT_READ capability, binding to the > > AUDIT_NLGRP_READLOG group.

Re: [RFC][PATCH] audit: log join and part events to the read-only multicast log socket

On 14/10/07, Richard Guy Briggs wrote: > On 14/10/07, Eric Paris wrote: > > On Tue, 2014-10-07 at 14:23 -0400, Richard Guy Briggs wrote: > > > Log the event when a client attempts to connect to the netlink audit > > > multicast > > > socket, requiring CAP_AUDIT_READ capability, binding to the > >

Re: [RFC][PATCH] audit: log join and part events to the read-only multicast log socket

On Saturday, October 11, 2014 11:42:06 AM Steve Grubb wrote: > On Tue, 07 Oct 2014 18:06:51 -0400 > > Paul Moore wrote: > > On Tuesday, October 07, 2014 03:39:51 PM Richard Guy Briggs wrote: > > > I also thought of moving audit_log_task() from auditsc.c to audit.c > > > and using that. For that

Re: [RFC][PATCH] audit: log join and part events to the read-only multicast log socket

On Tue, 07 Oct 2014 18:06:51 -0400 Paul Moore wrote: > On Tuesday, October 07, 2014 03:39:51 PM Richard Guy Briggs wrote: > > I also thought of moving audit_log_task() from auditsc.c to audit.c > > and using that. For that matter, both audit_log_task() and > > audit_log_task_info() could use aud

Re: [RFC][PATCH] audit: log join and part events to the read-only multicast log socket

On Tuesday, October 07, 2014 03:39:51 PM Richard Guy Briggs wrote: > I also thought of moving audit_log_task() from auditsc.c to audit.c > and using that. For that matter, both audit_log_task() and > audit_log_task_info() could use audit_log_session_info(), but they are > in slightly different ord

Re: [RFC][PATCH] audit: log join and part events to the read-only multicast log socket

On 14/10/07, Eric Paris wrote: > On Tue, 2014-10-07 at 14:23 -0400, Richard Guy Briggs wrote: > > Log the event when a client attempts to connect to the netlink audit > > multicast > > socket, requiring CAP_AUDIT_READ capability, binding to the > > AUDIT_NLGRP_READLOG > > group. Log the disconne

Re: [RFC][PATCH] audit: log join and part events to the read-only multicast log socket

On Tue, 2014-10-07 at 14:23 -0400, Richard Guy Briggs wrote: > Log the event when a client attempts to connect to the netlink audit multicast > socket, requiring CAP_AUDIT_READ capability, binding to the > AUDIT_NLGRP_READLOG > group. Log the disconnect too. > > Sample output: > time->Tue Oct 7

[RFC][PATCH] audit: log join and part events to the read-only multicast log socket

Log the event when a client attempts to connect to the netlink audit multicast socket, requiring CAP_AUDIT_READ capability, binding to the AUDIT_NLGRP_READLOG group. Log the disconnect too. Sample output: time->Tue Oct 7 14:15:19 2014 type=UNKNOWN[1348] msg=audit(1412705719.316:117): auid=0 uid=