On 14/04/28, Steve Grubb wrote: > Hello, > > Removing people that probably could care less about an audit event... > > On Tuesday, April 22, 2014 11:57:55 PM Eric Paris wrote: > > > Also, shouldn't we have an audit event for every attempt to connect to > > > this socket? We really need to know where this information is getting > > > leaked to. > > > > We certainly can. What would you like to see in that event? > > I think it should be patterned after the other "standalone" kernel audit > events. We need pid, sesion, uid, auid, subj, comm, exe, and results. The > event type should be something like AUDIT_EVENT_LISTENER. I am wondering > about > the usefulness of also adding op=connect op=disconnect to bracket the times > when something else was listening in on audit events.
I assume that order of these is not yet important and that gid should also be in this list (which will let me use audit_log_task()). > -Steve - RGB -- Richard Guy Briggs <[email protected]> Senior Software Engineer, Kernel Security, AMER ENG Base Operating Systems, Red Hat Remote, Ottawa, Canada Voice: +1.647.777.2635, Internal: (81) 32635, Alt: +1.613.693.0684x3545 -- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
