On Tue, 2011-11-08 at 14:25 -0800, Peter Moody wrote:
> Apologies if this is the wrong list:
>
>
> Is it possible to filter on what shows up in the audit logs as the
> ouid of an inode being accessed?
>
>
> Alternatively, if I'm only interested in inodes of a particular ouid
> (or more specifically, accesses to an inode of a particular ouid from
> a process with a different uid), is my best bet doing post-audit
> filtering?

I have some patches you are likely to see on this list this week which
implement exactly both of these questions (I'm actually working on my
audit tree right now, I'm about 27 patches deep and probably have a
couple more to go).  Specifically one to allow audit on ouid and onto to
allow audit on uid != ouid or uid == ouid.

-Eric