Re: [PATCH 0/6][v2] audit: implement multicast socket for journald
On 14/04/28, Steve Grubb wrote:
Hello,
Removing people that probably could care less about an audit event...
On Tuesday, April 22, 2014 11:57:55 PM Eric Paris wrote:
> > Also, shouldn't we have an audit event for every attempt to connect to
> > this socket? We really need to know where this information is getting
> > leaked to.
>
> We certainly can. What would you like to see in that event?
I think it should be patterned after the other "standalone" kernel audit
events. We need pid, sesion, uid, auid, subj, comm, exe, and results. The
event type should be something like AUDIT_EVENT_LISTENER. I am wondering about
the usefulness of also adding op=connect op=disconnect to bracket the times
when something else was listening in on audit events.
I assume that order of these is not yet important and that gid should
also be in this list (which will let me use audit_log_task()).
-Steve
- RGB
--
Richard Guy Briggs <rbriggs(a)redhat.com>
Senior Software Engineer, Kernel Security, AMER ENG Base Operating Systems, Red Hat
Remote, Ottawa, Canada
Voice: +1.647.777.2635, Internal: (81) 32635, Alt: +1.613.693.0684x3545