On Tue, Nov 8, 2011 at 3:17 PM, Eric Paris <[email protected]> wrote:
> On Tue, 2011-11-08 at 14:25 -0800, Peter Moody wrote: > > Apologies if this is the wrong list: > > > > > > Is it possible to filter on what shows up in the audit logs as the > > ouid of an inode being accessed? > > > > > > Alternatively, if I'm only interested in inodes of a particular ouid > > (or more specifically, accesses to an inode of a particular ouid from > > a process with a different uid), is my best bet doing post-audit > > filtering? > > I have some patches you are likely to see on this list this week which > implement exactly both of these questions (I'm actually working on my > audit tree right now, I'm about 27 patches deep and probably have a > couple more to go). Specifically one to allow audit on ouid and onto to > allow audit on uid != ouid or uid == ouid. > Out of curiosity, these are both kernel and userland patches, right? > -Eric > > >
-- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
