Re: [RFC][PATCH] audit: log join and part events to the read-only multicast log socket
On Tuesday, October 21, 2014 03:56:10 PM Steve Grubb wrote:
audit_log_task_info logs too much information for typical use. There
are
times when you might want to know everything about what's connecting. But
in this case, we don't need anything about groups, saved uids, fsuid, or
ppid.
Its a shame we don't have a audit_log_task_info_light function which only
records:
pid= auid= uid= subj= comm= exe= ses= tty=
This is getting back to my earlier concerns/questions about field ordering, or
at the very least I'm going to hijack this conversation and steer it towards
field ordering ;)
Before we go to much farther, I'd really like us to agree that ordering is not
important, can we do that? As a follow up, what do we need to do to make that
happen in the userspace tools?
--
paul moore
security and virtualization @ redhat