Hello, Removing people that probably could care less about an audit event...
On Tuesday, April 22, 2014 11:57:55 PM Eric Paris wrote: > > Also, shouldn't we have an audit event for every attempt to connect to > > this socket? We really need to know where this information is getting > > leaked to. > > We certainly can. What would you like to see in that event? I think it should be patterned after the other "standalone" kernel audit events. We need pid, sesion, uid, auid, subj, comm, exe, and results. The event type should be something like AUDIT_EVENT_LISTENER. I am wondering about the usefulness of also adding op=connect op=disconnect to bracket the times when something else was listening in on audit events. -Steve -- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
