Hell Richard, While we're in the NETFILTER area, the CFG event is lacking some fields, too. Its currently:
table,family,entries its missing everything about *who* sent it: pid,uid,auid,ses,subj,exe,res I'd suggest: pid,uid,auid,ses,subj,table,family,entries,exe,res to make it compatible with the majority of records. Incidentally, I created a chart that shows how each record type is alike and different from every other record. You might call it a record grammar tree: http://people.redhat.com/sgrubb/audit/record-fields.html I'd like to align as many events as possible to pid,uid,auid section of the graph. -Steve -- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
