Re: [PATCH 0/6][v2] audit: implement multicast socket for journald
Hello,
Removing people that probably could care less about an audit event...
On Tuesday, April 22, 2014 11:57:55 PM Eric Paris wrote:
> Also, shouldn't we have an audit event for every attempt to
connect to
> this socket? We really need to know where this information is getting
> leaked to.
We certainly can. What would you like to see in that event?
I think it should be patterned after the other "standalone" kernel audit
events. We need pid, sesion, uid, auid, subj, comm, exe, and results. The
event type should be something like AUDIT_EVENT_LISTENER. I am wondering about
the usefulness of also adding op=connect op=disconnect to bracket the times
when something else was listening in on audit events.
-Steve