On Monday, October 10, 2016 5:10:39 PM EDT Paul Moore wrote: > On Mon, Oct 10, 2016 at 1:24 PM, Steve Grubb <[email protected]> wrote: > > On Thursday, August 18, 2016 2:18:55 PM EDT Richard Guy Briggs wrote: > >> loginuid_set support should have been added to userspace when it was > >> added to the kernel around v3.10. Add it before we do similar for > >> sessionID and sessionID_set. > > > > If this were accepted, how would this change writing rules? IOW, can you > > give an example rule so we can see what this looks like? > > We have a RFE feature page which documents some rule examples: > > * > https://github.com/linux-audit/audit-kernel/wiki/RFE-Session-ID-User-Filter
OK, thanks. This is helpful. So, what is the difference between these rules? -a always,exit -F path=/tmp/sessionid_test -F loginuid=-1 -a always,exit -F path=/tmp/sessionid_set_test -F loginuid_set=0 -Steve -- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
