On Tue, May 19, 2020 at 11:31 AM Richard Guy Briggs <[email protected]> wrote: > > Some table unregister actions seem to be initiated by the kernel to > garbage collect unused tables that are not initiated by any userspace > actions. It was found to be necessary to add the subject credentials to > cover this case to reveal the source of these actions. A sample record: > > The tty, ses and exe fields have not been included since they are in the > SYSCALL record and contain nothing useful in the non-user context. > > type=NETFILTER_CFG msg=audit(2020-03-11 21:25:21.491:269) : table=nat > family=bridge entries=0 op=unregister pid=153 uid=root auid=unset > subj=system_u:system_r:kernel_t:s0 comm=kworker/u4:2
Based on where things were left in the discussion on the previous draft, I think it would be good if you could explain a bit why the uid and auid fields are useful here. -- paul moore www.paul-moore.com
