On Tuesday, January 24, 2012 01:08:56 PM Marcelo Cerri wrote: > I took a look at some anomaly events and I'm thinking to correlate them > to guests based on the SELinux context or maybe based on the pid field. > > Do you think there is another ways to correlate them?
I was thinking to correlate them based on the time and pid. If its within the time range between startup/shutdown and its the same pid, then you have the event correlated. If its outside the time range or a different pid, then you do not have correlation. I would not look at selinux label because not all systems/distros have it enabled or compiled in. So, pid and time are the most universal identifiers for correlation. -Steve -- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
