On Tuesday, May 12, 2015 03:57:59 PM Richard Guy Briggs wrote:
On 15/05/05, Steve Grubb wrote:
I think there needs to be some more discussion around this. It seems like
this is not exactly recording things that are useful for audit.
It seems to me that either audit has to assemble that
On Thursday, May 14, 2015 10:42:38 AM Eric W. Biederman wrote:
Steve Grubb sgr...@redhat.com writes:
On Tuesday, May 12, 2015 03:57:59 PM Richard Guy Briggs wrote:
On 15/05/05, Steve Grubb wrote:
I think there needs to be some more discussion around this. It seems
like
this is not
Steve Grubb sgr...@redhat.com writes:
On Tuesday, May 12, 2015 03:57:59 PM Richard Guy Briggs wrote:
On 15/05/05, Steve Grubb wrote:
I think there needs to be some more discussion around this. It seems like
this is not exactly recording things that are useful for audit.
It seems to me
On 05/14/2015 09:57 AM, Steve Grubb wrote:
Also, if the host OS cannot make sense of the information being logged because
the pid maps to another process name, or a uid maps to another user, or a file
access maps to something not in the host's, then we need the container to do
its own auditing
On Thursday, May 14, 2015 03:24:16 PM leam hall wrote:
Some security requirements include auditing events by users and root. So
the line might include something like:
-F auid=0 -F auid=500 -F auid!=4294967295
The fields will be anded. You cannot simultaneously have auid of 0 and =500.
So,
On Thursday, May 14, 2015 10:57:14 AM Steve Grubb wrote:
On Tuesday, May 12, 2015 03:57:59 PM Richard Guy Briggs wrote:
On 15/05/05, Steve Grubb wrote:
I think there needs to be some more discussion around this. It seems
like this is not exactly recording things that are useful for audit.
Some security requirements include auditing events by users and root. So
the line might include something like:
-F auid=0 -F auid=500 -F auid!=4294967295
My question is, if you don't include that phrase will the audit system
still get everything and not incur a serious performance hit.