On 2020-05-20 18:24, Paul Moore wrote: > On Wed, May 20, 2020 at 2:47 PM Richard Guy Briggs <[email protected]> wrote: > > > > Some table unregister actions seem to be initiated by the kernel to > > garbage collect unused tables that are not initiated by any userspace > > actions. It was found to be necessary to add the subject credentials to > > cover this case to reveal the source of these actions. A sample record: > > > > The uid, auid, tty, ses and exe fields have not been included since they > > are in the SYSCALL record and contain nothing useful in the non-user > > context. > > > > Here are two sample orphaned records: > > > > type=NETFILTER_CFG msg=audit(2020-05-20 12:14:36.505:5) : table=filter > > family=ipv4 entries=0 op=register pid=1 subj=kernel comm=swapper/0 > > > > type=NETFILTER_CFG msg=audit(2020-05-20 12:15:27.701:301) : table=nat > > family=bridge entries=0 op=unregister pid=30 > > subj=system_u:system_r:kernel_t:s0 comm=kworker/u4:1 > > > > Signed-off-by: Richard Guy Briggs <[email protected]> > > Merged into audit/next, thanks Richard.
Thanks, Paul. > paul moore - RGB -- Richard Guy Briggs <[email protected]> Sr. S/W Engineer, Kernel Security, Base Operating Systems Remote, Ottawa, Red Hat Canada IRC: rgb, SunRaycer Voice: +1.647.777.2635, Internal: (81) 32635 -- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
