9:54 a.m.
Hello,
I've just released a new version of the audit daemon. It can be downloaded
from http://people.redhat.com/sgrubb/audit It will also be in rawhide
tomorrow. The Changelog is:
- fix bug in incremental flush where is wrongly reported an error
- ausearch should not do uid check for -if option
- adjust ipc interpretation to not use ipc.h
There's some documentation updates as well. Please let me know if there are
any problems.
-Steve
1:09 p.m.
New subject: USER messages - default behavior
Since we will soon be able to filter USER messages by auid, I have a
question about what the default behavior will be.
Currently, all USER messages are captured by default, will this remain
true? Or will there be a new auditctl rule to
turn on or off auditing of USER messages, similar to how we have "-S all"
for syscalls?
Once we are able to audit by auid, will we then audit all USER messages
unless the auid of the
USER message matches a filter rule such as "auditctl -a exit,always -F
auid!=<auid>"?
Thanks,
debbie
1:21 p.m.
New subject: USER messages - default behavior
On Thursday 16 June 2005 14:09, Debora Velarde wrote:
Since we will soon be able to filter USER messages by auid, I have a
question about what the default behavior will be. Currently, all USER
messages are
captured by default, will this remain true?
I think so.
Or will there be a new auditctl rule to turn on or off auditing of
USER
messages, similar to how we have "-S all" for syscalls?
I was thinking that we could do something like that someday in the future but
not for this development cycle. It is on the TODO list.
Once we are able to audit by auid, will we then audit all USER
messages
unless the auid of the USER message matches a filter rule such as "auditctl
-a exit,always -F auid!=<auid>"?
I think that was the intention. You could also do "-a exit,never -F
auid=<auid>"
-Steve
1:46 p.m.
New subject: USER messages - default behavior
On Thursday 16 June 2005 14:21, Steve Grubb wrote:
> You could also do "-a exit,never -F auid=<auid>"
Of course substituting the new list name for exit.
Perhaps I missed something. What 'new list name for exit'?
I'm on audit0.9.4 where entry and exit are still valid.
Is this different in a more recent audit?
-debbie
2:43 p.m.
New subject: USER messages - default behavior
On Thursday 16 June 2005 14:46, Debora Velarde wrote:
Perhaps I missed something. What 'new list name for exit'?
That would be up to David or Tim...whoever is implementing it.
I'm on audit0.9.4 where entry and exit are still valid.
Is this different in a more recent audit?
No. I'll sync up user space when we have a kernel that has the filter in it.
-Steve
7129
days inactive
7129
days old
linux-audit@lists.linux-audit.osci.io
5 comments
2 participants
participants (2)
-
Debora Velarde -
Steve Grubb