Re: [PATCH ghak95] audit: Do not log full CWD path on empty relative paths

2018-12-04 Thread Paul Moore
On Tue, Dec 4, 2018 at 3:07 AM Ondrej Mosnacek wrote: > On Sat, Dec 1, 2018 at 5:50 PM Steve Grubb wrote: > > On Tuesday, November 13, 2018 11:30:55 AM EST Paul Moore wrote: > > > On Tue, Nov 13, 2018 at 10:25 AM Ondrej Mosnacek > > wrote: > > > > On Tue, Nov 6, 2018 at 9:19 PM Paul Moore

Re: operation not supported on filtering

2018-12-04 Thread Vincent Fiset
> So...your kernel is not supporting this. You'd need to dig through the kernel source to find this. I don't think I can help much past this point as I'm not familiar with the Debian kernels. Thanks for the confirmation you helped me a lot On Tue, Dec 4, 2018 at 11:09 AM Steve Grubb wrote: > >

Re: operation not supported on filtering

2018-12-04 Thread Steve Grubb
On Tuesday, December 4, 2018 10:15:47 AM EST Vincent Fiset wrote: > > strace /sbin/auditctl -a always,exclude -F msgtype=CWD > log 2>&1 > > Unfortunately I already tried that before, strace was not revealing > anything obvious (for me at least) There's info in there. > sendto(4, >

Re: operation not supported on filtering

2018-12-04 Thread Vincent Fiset
> > here are the flags that I see in proc/config: > > > > $ zgrep -i audi /proc/config.gz > > CONFIG_AUDIT_ARCH=y > > CONFIG_AUDIT=y > > CONFIG_HAVE_ARCH_AUDITSYSCALL=y > > CONFIG_AUDITSYSCALL=y > > CONFIG_AUDIT_WATCH=y > > CONFIG_AUDIT_TREE=y > > CONFIG_NETFILTER_XT_TARGET_AUDIT=m > >

Re: operation not supported on filtering

2018-12-04 Thread Steve Grubb
On Tuesday, December 4, 2018 9:26:29 AM EST Vincent Fiset wrote: > here are the flags that I see in proc/config: > > $ zgrep -i audi /proc/config.gz > CONFIG_AUDIT_ARCH=y > CONFIG_AUDIT=y > CONFIG_HAVE_ARCH_AUDITSYSCALL=y > CONFIG_AUDITSYSCALL=y > CONFIG_AUDIT_WATCH=y > CONFIG_AUDIT_TREE=y >

Re: operation not supported on filtering

2018-12-04 Thread Vincent Fiset
$ zgrep -i audi /proc/config.gz CONFIG_AUDIT_ARCH=y CONFIG_AUDIT=y CONFIG_HAVE_ARCH_AUDITSYSCALL=y CONFIG_AUDITSYSCALL=y CONFIG_AUDIT_WATCH=y CONFIG_AUDIT_TREE=y CONFIG_NETFILTER_XT_TARGET_AUDIT=m CONFIG_SECURITY_TOMOYO_MAX_AUDIT_LOG=1024 # CONFIG_KVM_MMU_AUDIT is not set #

Re: [PATCH ghak95] audit: Do not log full CWD path on empty relative paths

2018-12-04 Thread Ondrej Mosnacek
On Sat, Dec 1, 2018 at 5:50 PM Steve Grubb wrote: > On Tuesday, November 13, 2018 11:30:55 AM EST Paul Moore wrote: > > On Tue, Nov 13, 2018 at 10:25 AM Ondrej Mosnacek > wrote: > > > On Tue, Nov 6, 2018 at 9:19 PM Paul Moore wrote: > > > > On Tue, Nov 6, 2018 at 3:09 AM Ondrej Mosnacek >