Hi
I need to audit some specific commands which have the following form
cmd -arg1 -arg2 -query 'some query(args)'
In audit log I get a record like:
type=EXECVE msg=audit(1282117611.037:27469599): argv[0]=cmd argv[1]=-arg1
argv[2]=-arg2 argv[3]=-query
Hi Jure,
Presuming you've captured the audit records you're interested in a file named
snorf, you could do something like this:
cat snorf | awk -F\= '{print $8 0A}' | xxd -r -p
In the example you had in the email, arg4 turns out to be:
strbegins(thread_id,thread_id=2369892f)
Best regards,
- Jure Simsic jure.sim...@gmail.com wrote:
Hi
I need to audit some specific commands which have the following form
cmd -arg1 -arg2 -query 'some query(args)'
In audit log I get a record like:
type=EXECVE msg=audit(1282117611.037:27469599): argv [0] =cmd argv [1]
=-arg1 argv
We have the information, so lets allow userspace audit messages to be
filtered based on the SELinux context. In particular this can be useful to
shut up the login events generated every time a cron job runs.
Signed-off-by: Eric Paris epa...@redhat.com
---
kernel/auditfilter.c |9 +
From: Miloslav Trmac m...@redhat.com
Add support for matching by security label (e.g. SELinux context) of
the sender of an user-space audit record.
The audit filter code already allows user space to configure such
filters, but they were ignored during evaluation. This patch implements