is there some notification sent? This seems like an
excellent way for an individual to obscure their actions on a system.
--
paul moore
linux security @ hp
--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit
Functions */
+
+struct audit_buffer *netlbl_audit_start_common(int type);
+void netlbl_audit_nomsg(int type);
+
#endif
--
paul moore
linux security @ hp
--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit
in the next release of the patch. Speaking on which, I
should have the next release out later today, I'm just waiting on some
feedback to see if it meets all of the LSPP certification requirements.
--
paul moore
linux security @ hp
--
Linux-audit mailing list
Linux-audit@redhat.com
https
Please consider this for inclusion into 2.6.19.
Signed-off-by: Paul Moore [EMAIL PROTECTED]
---
include/linux/audit.h |6 ++
include/net/cipso_ipv4.h |5 +-
include/net/netlabel.h |2
net/ipv4/cipso_ipv4.c |8 ++-
net/netlabel
-vm_next;
+ }
+ up_read(current-mm-mmap_sem);
+ }
+
If this function was moved inside auditsc.c you could use a function there
that does this. But the question remains why all this data?
In the ideal world would you prefer this to be removed?
--
paul moore
linux
Dave,
I think Steve and I have agreed on a solution, I'll put together a patch
right now based on what is currently in net-2.6 (i.e. the existing
NetLabel audit patch) and submit it to the lists in a few hours.
Steve Grubb wrote:
On Friday 29 September 2006 14:09, Paul Moore wrote:
type field
believe you can get away
with plucking the loginuid from the current task, yes? no?
--
paul moore
linux security @ hp
--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit
I'm trying to find a way to quickly determine if auditing is enabled and it
looks like the only real way to do that is to declare audit_enabled as an extern
and check the variable directly. Is there some interface for this that I am
missing?
--
paul moore
linux security @ hp
--
Linux-audit
Steve Grubb wrote:
On Tuesday 14 November 2006 12:48, Paul Moore wrote:
I'm trying to find a way to quickly determine if auditing is enabled and it
looks like the only real way to do that is to declare audit_enabled as an
extern and check the variable directly. Is there some interface
On Friday, April 20 2007 6:35:34 pm paul moore wrote:
I have an test app that quite happily does an audit_set_pid and then sits
there reading /dev/audit.
It works fine if its in the lead thread. But when I run the same code in my
real app it runs in a different thread. No matter what PID I
received
Paul Moore
--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit
Sorry
Redhat es4 x86 monoproc
Kernel 2.6.9-34.EL
Audit 1.0.12-1.EL4
gcc 3.4.5 (redhat's)
-Original Message-
From: Paul Moore [mailto:[EMAIL PROTECTED]
Sent: Friday, April 20, 2007 3:45 PM
To: paul moore
Cc: linux-audit@redhat.com
Subject: Re: listening to /dev/audit in a pthread
@redhat.com
Cc: paul moore
Subject: Re: (no subject)
On Friday 20 April 2007 18:13:17 paul moore wrote:
My understanding is that the auid/loginid process property is to allow
the audit system to *really* know who did things In particular it
seems to be for tracking who did things when they run
-
From: Steve Grubb [mailto:[EMAIL PROTECTED]
Sent: Saturday, May 05, 2007 6:34 AM
To: linux-audit@redhat.com
Cc: paul moore
Subject: Re: hexified path in cwd audit message if dir no longer exists
On Friday 04 May 2007 20:47:19 paul moore wrote:
Occasiaonally I get a CWD audit message
: Saturday, May 05, 2007 6:34 AM
To: linux-audit@redhat.com
Cc: paul moore
Subject: Re: hexified path in cwd audit message if dir no longer exists
On Friday 04 May 2007 20:47:19 paul moore wrote:
Occasiaonally I get a CWD audit message that has a hexified path in it.
Like this
$1 = audit(1178324383.479
in include/linux/errno.h
I have no idea if the fix is the right way of dealing with the problem (I'll
let the audit experts vote on that), but thanks for looking into the problem
and coming up with a possible solution.
--
paul moore
linux security @ hp
--
Linux-audit mailing list
Linux-audit
Hello,
I was wondering what was the correct way to send a netmask in an audit
message? Can I simply add it to the end of the 'addr' field:
addr=10.0.0.0/8
Or is there some other field specifically for the netmask?
addr=10.0.0.0 X=8
--
paul moore
linux security @ hp
--
Linux-audit
On Friday 16 November 2007 11:10:55 am Steve Grubb wrote:
On Thursday 15 November 2007 16:12:53 Paul Moore wrote:
I was wondering what was the correct way to send a netmask in an audit
message?
That is a curious one. I don't think we've ever recorded a netmask since we
don't audit
On Friday 16 November 2007 7:07:14 pm Casey Schaufler wrote:
--- Paul Moore [EMAIL PROTECTED] wrote:
On Friday 16 November 2007 11:10:55 am Steve Grubb wrote:
Or is there some other field specifically for the netmask?
addr=10.0.0.0 X=8
This would probably be better so
\
daddr=192.168.0.10 \
sec_obj=system_u:object_r:unlabeled_t:s0 res=1
--
paul moore
linux security @ hp
--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit
I just noticed that the IPsec auditing code does not appear to audit the
netmask for the selector source and destination addresses in
xfrm_audit_common_policyinfo(). Before I threw a patch together I thought I
would check to see if there was a reason for this that I am missing ...
--
paul
On Wednesday 21 November 2007 4:26:57 pm Paul Moore wrote:
On Wednesday 21 November 2007 4:21:26 pm Linda Knippers wrote:
Paul Moore wrote:
For reference, here are four examples of the new message types pulled
from a Fedora Rawhide machine running this patch:
* adding new fallback
On Monday 26 November 2007 11:47:09 am Joy Latten wrote:
Paul Moore [EMAIL PROTECTED] wrote on 11/21/2007 03:34:31 PM:
I just noticed that the IPsec auditing code does not appear to audit the
netmask for the selector source and destination addresses in
xfrm_audit_common_policyinfo
), and two local variables were created to
make referencing the XFRM security context and selector information cleaner.
Signed-off-by: Paul Moore [EMAIL PROTECTED]
---
net/xfrm/xfrm_policy.c | 44 ++--
1 files changed, 26 insertions(+), 18 deletions
On Thursday 29 November 2007 5:34:59 am Herbert Xu wrote:
On Mon, Nov 26, 2007 at 07:55:12PM +, Paul Moore wrote:
Currently the netmask/prefix-length of an IPsec SPD entry is not included
in any of the SPD related audit messages. This can cause a problem when
the audit log is examined
On Thursday 29 November 2007 8:45:46 am Paul Moore wrote:
On Thursday 29 November 2007 5:34:59 am Herbert Xu wrote:
On Mon, Nov 26, 2007 at 07:55:12PM +, Paul Moore wrote:
Currently the netmask/prefix-length of an IPsec SPD entry is not
included in any of the SPD related audit
On Saturday 01 December 2007 7:28:34 am Herbert Xu wrote:
On Fri, Nov 30, 2007 at 09:51:48AM -0500, Paul Moore wrote:
Steve and/or Joy, could we get a verdict on this issue? The lack of a
netmask in the SPD audit messages is pretty serious so I'd like to see
this fixed as soon as possible
On Wednesday 05 December 2007 2:45:12 pm Paul Moore wrote:
Hello all,
I'm looking at RFC4303 at some of the auditing requirements and one of the
gaps between what the specification requires and what we currently provide
involves the SA's sequence number and the IPv6 flow ID. According
fields which are a
good match. With that in mind I'd like to propose two new fields:
* seqno - sequence number
* flowid - flow id
Any comments, objections, suggestions?
[1] http://people.redhat.com/sgrubb/audit/audit-parse.txt
--
paul moore
linux security @ hp
--
Linux-audit mailing list
On Thursday 06 December 2007 1:25:50 pm [EMAIL PROTECTED] wrote:
On Wed, 05 Dec 2007 14:45:12 EST, Paul Moore said:
Hello all,
I'm looking at RFC4303 at some of the auditing requirements and one of
the gaps between what the specification requires and what we currently
provide involves
On Friday 07 December 2007 3:52:31 pm Eric Paris wrote:
On Fri, 2007-12-07 at 14:57 -0500, Paul Moore wrote:
NOTE: This really is an RFC patch, it compiles and boots but that is
pretty much all I can promise at this point. I'm posting this patch to
gather feedback from the audit crowd
,always -F msgtype=USER_LOGIN
Great, thanks for the tip.
BTW, what is the linux-audit-bounces list? Some majordomo magic?
--
paul moore
linux security @ hp
--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit
was intended
* Proper spacing around commas in function arguments
Minor style tweak since I was already touching the code
Signed-off-by: Paul Moore [EMAIL PROTECTED]
---
include/linux/xfrm.h|2 +
include/net/xfrm.h | 18 ++--
net/xfrm/xfrm_policy.c | 15 +-
net
On Tuesday 11 December 2007 5:22:02 am David Miller wrote:
From: Eric Paris [EMAIL PROTECTED]
Date: Fri, 07 Dec 2007 15:36:08 -0500
On Fri, 2007-12-07 at 12:11 -0500, Paul Moore wrote:
This patch fixes a number of small but potentially troublesome things
in the XFRM/IPsec code
was intended
* Proper spacing around commas in function arguments
Minor style tweak since I was already touching the code
Signed-off-by: Paul Moore [EMAIL PROTECTED]
---
include/linux/xfrm.h|2 +
include/net/xfrm.h | 18 ++--
net/xfrm/xfrm_policy.c | 15
On Tuesday 11 December 2007 12:06:11 pm David Miller wrote:
From: Paul Moore [EMAIL PROTECTED]
Date: Tue, 11 Dec 2007 11:30:19 -0500
Sorry for not pointing this out sooner:
No problem, better late than never ... despite reports to the contrary,
breaking userspace doesn't excite me as much
On Tuesday 11 December 2007 12:19:57 pm YOSHIFUJI Hideaki / 吉藤英明 wrote:
Please do not mangle tabs into spaces.
Yes indeed. Not quite sure what happened there but I just fixed it.
Thanks for pointing that out.
--
paul moore
linux security @ hp
--
Linux-audit mailing list
Linux-audit
On Tuesday 11 December 2007 12:21:26 pm David Miller wrote:
From: Paul Moore [EMAIL PROTECTED]
Date: Tue, 11 Dec 2007 12:15:00 -0500
I still would like to see the rest of the changes make it into
2.6.25 (the SPI byte order thing is particularly troublesome) so if
you don't mind a v3 I'll
-by: Paul Moore [EMAIL PROTECTED]
---
net/xfrm/xfrm_state.c | 10 ++
1 files changed, 6 insertions(+), 4 deletions(-)
diff --git a/net/xfrm/xfrm_state.c b/net/xfrm/xfrm_state.c
index cf43c49..1af522b 100644
--- a/net/xfrm/xfrm_state.c
+++ b/net/xfrm/xfrm_state.c
@@ -2028,6 +2028,7 @@ void
In several places the arguments to the xfrm_audit_start() function are in the
wrong order resulting in incorrect user information being reported. This
patch corrects this by pacing the arguments in the correct order.
Signed-off-by: Paul Moore [EMAIL PROTECTED]
---
net/xfrm/xfrm_policy.c |4
On Thursday 20 December 2007 3:00:09 am David Miller wrote:
From: Paul Moore [EMAIL PROTECTED]
Date: Wed, 19 Dec 2007 14:29:31 -0500
The following patch is backed against David's net-2.6 tree and is pretty
trivial. I know we're late in the 2.6.24 cycle but I think this is worth
merging
directory
`/home/paul/Develop/audit/audit-test/trustedprograms'
make: *** [subdirs] Error 2
I'm running Fedora Core 7
It looks like you need to install the SELinux policy development RPM, I
believe the package name is selinux-policy-devel.
--
paul moore
linux security @ hp
--
Linux-audit
, just drop this patch and I'll cook up something
else to solve the problem.
Thanks.
--
paul moore
linux security @ hp
--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit
for this event
SHOULD include the SPI value, current date/time, Source Address,
Destination Address, and (in IPv6) the cleartext Flow ID.
Signed-off-by: Paul Moore [EMAIL PROTECTED]
---
net/xfrm/xfrm_output.c |5 -
1 files changed, 4 insertions(+), 1 deletions(-)
diff --git a/net/xfrm
in function arguments
Minor style tweak since I was already touching the code
Signed-off-by: Paul Moore [EMAIL PROTECTED]
---
include/net/xfrm.h | 14 ++---
net/xfrm/xfrm_policy.c | 15 ++
net/xfrm/xfrm_state.c | 53
3
in general, i.e. both AH and ESP. The one case, integrity check
failure, where ESP specific code had to be modified the same was done to the
AH code for the sake of consistency.
Signed-off-by: Paul Moore [EMAIL PROTECTED]
---
include/net/xfrm.h | 33 --
net/ipv4/ah4.c
On Friday 21 December 2007 9:02:41 am David Miller wrote:
From: Paul Moore [EMAIL PROTECTED]
Date: Fri, 21 Dec 2007 08:51:22 -0500
Ah, looks like I may not be crazy after all! It looks like the XFRM
patches from Masahide NAKAMURA were pulled into net-2.6.25 just before
mine last night
a conditional and an assignment. Granted they are atomic
ops, but everyone keeps telling me that atomic ops are pretty quick on
almost all of the platforms that Linux supports ...
--
paul moore
linux security @ hp
--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman
On Thursday 24 January 2008 1:01:12 pm Eric Paris wrote:
On Thu, 2008-01-24 at 12:52 -0500, Paul Moore wrote:
On Wednesday 23 January 2008 5:06:53 pm Linda Knippers wrote:
Eric Paris wrote:
On Wed, 2008-01-23 at 16:05 -0500, Linda Knippers wrote:
This is unrelated to your patch but I
in
parsing. It's a judgment call over when and how to introduce change
and the anticipated impact.
All reasons for why I think we need to remove as much of the formatting
decisions from the caller.
--
paul moore
linux security @ hp
--
Linux-audit mailing list
Linux-audit@redhat.com
https
, second versions that run in
parallel, etc. While this problem may be new to audit, it is not new to the
kernel or other software projects; it _is_ a solvable problem, it just
requires some of that hard work.
--
paul moore
linux security @ hp
--
Linux-audit mailing list
Linux-audit@redhat.com
On Wednesday 30 January 2008 11:01:09 am Steve Grubb wrote:
On Wednesday 30 January 2008 10:34:00 Paul Moore wrote:
On Wednesday 30 January 2008 9:21:34 am Steve Grubb wrote:
On Tuesday 29 January 2008 17:56:36 John Dennis wrote:
The bottom line is one cannot parse the audit messages
system and we need to focus higher up the stack
for a while. There's all kinds of neat things we can do if we don't keep
reworking the bottom layer. :)
... Neat things like building castles on the sand? ;)
(Sorry, couldn't resist!)
--
paul moore
linux security @ hp
--
Linux-audit mailing list
Fix the following compiler warning by using %zu as defined in C99.
CC kernel/auditsc.o
kernel/auditsc.c: In function 'audit_log_single_execve_arg':
kernel/auditsc.c:1074: warning: format '%ld' expects type 'long int', but
argument 4 has type 'size_t'
Signed-off-by: Paul Moore [EMAIL
On Wednesday 27 February 2008 12:45:05 pm Paul Moore wrote:
On Wednesday 27 February 2008 11:22:01 am Eric Paris wrote:
On Wed, 2008-02-27 at 10:39 -0500, Paul Moore wrote:
Fix the following compiler warning by using %zu as defined in
C99.
CC kernel/auditsc.o
kernel
On Saturday 01 March 2008 2:52:30 pm Ahmed S. Darwish wrote:
Setup the new inode_getsecid and ipc_getsecid() LSM hooks
for SELinux.
Signed-off-by: Casey Schaufler [EMAIL PROTECTED]
Signed-off-by: Ahmed S. Darwish [EMAIL PROTECTED]
Reviewed-by: Paul Moore [EMAIL PROTECTED]
---
hooks.c
On Saturday 01 March 2008 2:56:22 pm Ahmed S. Darwish wrote:
Don't use SELinux exported selinux_get_task_sid symbol.
Use the generic LSM equivalent instead.
Signed-off-by: Casey Schaufler [EMAIL PROTECTED]
Signed-off-by: Ahmed S. Darwish [EMAIL PROTECTED]
Reviewed-by: Paul Moore [EMAIL
(rule)
Those hooks are only available if CONFIG_AUDIT is enabled.
Signed-off-by: Casey Schaufler [EMAIL PROTECTED]
Signed-off-by: Ahmed S. Darwish [EMAIL PROTECTED]
Reviewed-by: Paul Moore [EMAIL PROTECTED]
---
include/linux/security.h | 72
]
Reviewed-by: Paul Moore [EMAIL PROTECTED]
---
include/linux/selinux.h| 62
-
security/selinux/exports.c | 42 -- 2
files changed, 104 deletions(-)
diff --git a/include/linux/selinux.h b/include/linux/selinux.h
index
Morris already Ack'd your entire patch set).
Thanks for all your work on this, it's a nice improvement.
--
paul moore
linux security @ hp
--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit
-by: Paul Moore [EMAIL PROTECTED]
---
diff --git a/net/xfrm/xfrm_state.c b/net/xfrm/xfrm_state.c
index 5dcc10b..fac27ce 100644
--- a/net/xfrm/xfrm_state.c
+++ b/net/xfrm/xfrm_state.c
@@ -2112,7 +2112,7 @@ static void xfrm_audit_helper_pktinfo(struct
sk_buff *skb, u16 family, iph6 = ipv6_hdr(skb
On Wednesday 01 October 2008 3:20:13 pm LC Bruzenak wrote:
On Wed, 2008-10-01 at 14:38 -0400, Paul Moore wrote:
On Wednesday 01 October 2008 9:15:27 am Eric Paris wrote:
On Tue, 2008-09-30 at 15:18 -0400, John Dennis wrote:
Eric likes to point out we can't change the
kernel
at me when glancing at your patch:
1. SELinux SIDs should not be recorded
2. From a SELinux/security point of view ttys are considered objects
and their labels/contexts should be recorded with obj= not subj=
--
paul moore
linux @ hp
--
Linux-audit mailing list
Linux-audit@redhat.com
https
On Friday 20 March 2009 04:53:27 am Miloslav Trmac wrote:
- Paul Moore paul.mo...@hp.com wrote:
There are several audit experts which should review this code but two
things jumped out at me when glancing at your patch:
1. SELinux SIDs should not be recorded
Almost all code
*/
+ cmpq $0,%rsi/* is it 0? */
setl %al/* 1 if so, 0 if not */
movzbl %al,%edi /* zero-extend that into %edi */
inc %edi /* first arg, 0-1(AUDITSC_SUCCESS), 1-2(AUDITSC_FAILURE) */
--
paul moore
linux @ hp
--
Linux-audit
On Tuesday 07 April 2009 10:44:09 pm Klaus Heinrich Kiwi wrote:
On Tue, 2009-04-07 at 11:34 -0400, Paul Moore wrote:
Does anyone have any thoughts?
I remember debugging an issue with the incorrect return value being
audited for a syscall. It was s390[x] specific and only occurred
On Tuesday 05 May 2009 03:07:36 pm Tony Jones wrote:
On Tue, May 05, 2009 at 02:22:04PM -0400, Paul Moore wrote:
I believe Matt Anderson (CC'd) reported the bug you are referring to and
the workaround I posted seemed to fix the issue for him. I've stopped
looking
I'll check it out, I see
On Tuesday 05 May 2009 03:34:43 pm Tony Jones wrote:
On Tue, May 05, 2009 at 03:20:52PM -0400, Paul Moore wrote:
On Tuesday 05 May 2009 03:07:36 pm Tony Jones wrote:
On Tue, May 05, 2009 at 02:22:04PM -0400, Paul Moore wrote:
I believe Matt Anderson (CC'd) reported the bug you
On Thursday 07 May 2009 07:05:00 pm Tony Jones wrote:
On Tue, May 05, 2009 at 03:50:01PM -0400, Paul Moore wrote:
No problem. As far as I'm aware the discussion never went beyond this
thread as I was unable to recreate the problem with the (then) current
kernels but it may not be a bad
tclass=netif
New message example:
audit(1253576792.161:30): avc: denied { ingress } for
saddr=::1 src=5000 daddr=::1 dest=35502 netif=lo
scontext=system_u:object_r:unlabeled_t:s15:c0.c1023
tcontext=system_u:object_r:lo_netif_t:s0-s15:c0.c1023 tclass=netif
Signed-off-by: Paul Moore paul.mo
. The signal information code however forgot
that check. Thus users will see a message in syslog indicating that
converting the sid to string failed. Add the right check.
Signed-off-by: Eric Paris epa...@redhat.com
Looks good to me.
Reviewed-by: Paul Moore p...@paul-moore.com
---
diff
On Tuesday, October 29, 2013 05:29:41 PM Eric Paris wrote:
On Tue, 2013-10-29 at 17:28 -0400, Paul Moore wrote:
Take x86_64 and x32 as an example (think of x32 as a 32-bit version of
x86_64). Both x32 and x86_64 use the AUDIT_ARCH_X86_64 value and general
calling convention, but they have
that here.
There ya go, hopefully this helps somewhat. If you have any questions I'll do
my best to try and answer them.
-Paul
[1] http://sourceforge.net/projects/libseccomp
--
paul moore
security and virtualization @ redhat
--
Linux-audit mailing list
Linux-audit@redhat.com
https
the permissive state from it,
rather than the output string itself.
I'm fine with this patch, but before I merge it for next I just wanted to make
sure there isn't another revision coming?
--
paul moore
www.paul-moore.com
--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com
On Thursday, May 01, 2014 01:11:57 PM Stephen Smalley wrote:
I'm fine with it as is.
Okay, it's applied to the next branch.
On Thu, May 1, 2014 at 12:09 PM, Paul Moore p...@paul-moore.com wrote:
On Wednesday, April 30, 2014 09:08:28 AM Stephen Smalley wrote:
The revised patch switched from
architectures (e.g. create a filter
that allows both x86-64 and x32 but disallows x86, or any combination of the
three for that matter).
--
paul moore
security and virtualization @ redhat
--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit
On Thursday, July 10, 2014 11:38:12 PM Richard Guy Briggs wrote:
Add a definition for 32-bit native system calls under 64-bit x86
architectures. This is distict from 32-bit emulation under 64-bit x86
architectures.
Cc: Paul Moore pmo...@redhat.com
Cc: Eric Paris epa...@redhat.com
Cc: Al
On Friday, July 11, 2014 12:23:33 PM Eric Paris wrote:
On Fri, 2014-07-11 at 12:21 -0400, Paul Moore wrote:
On Friday, July 11, 2014 12:16:47 PM Eric Paris wrote:
On Fri, 2014-07-11 at 12:11 -0400, Paul Moore wrote:
On Thursday, July 10, 2014 09:06:02 PM H. Peter Anvin wrote
On Friday, July 11, 2014 12:16:47 PM Eric Paris wrote:
On Fri, 2014-07-11 at 12:11 -0400, Paul Moore wrote:
On Thursday, July 10, 2014 09:06:02 PM H. Peter Anvin wrote:
Incidentally: do seccomp users know that on an x86-64 system you can
recevie system calls from any of the x86
compatibility with existing seccomp
filter users.
--
paul moore
security and virtualization @ redhat
--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit
,
sksec-sclass);
if (!selinux_enforcing || security_get_allow_unknown())
err = 0;
}
--
paul moore
security and virtualization @ redhat
--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo
On Monday, September 22, 2014 04:59:39 PM Richard Guy Briggs wrote:
On 14/09/22, Paul Moore wrote:
On Thursday, September 18, 2014 08:50:17 PM Richard Guy Briggs wrote:
Convert audit_log() call to WARN_ONCE().
Rename type= to nlmsg_type= to avoid confusion with the audit record
, AUDIT_SELINUX_ERR,
+ op=security_sid_mls_copy
+ invalid_context=%s, s);
kfree(s);
}
goto out_unlock;
--
paul moore
security and virtualization @ redhat
After a long stint maintaining the audit tree, Eric asked me to step
in and handle the day-to-day management of the audit tree. We should
also update the linux-audit mailing list entry to better reflect
current usage.
Signed-off-by: Paul Moore pmo...@redhat.com
---
MAINTAINERS |5 +++--
1
the kernel for audit
capabilities?
--
paul moore
security and virtualization @ redhat
--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit
Hi Stephen,
The audit tree has just changed hands and as a result the git repo has
changed. The new location is:
* git://git.infradead.org/users/pcmoore/audit next
Thanks,
-Paul
--
paul moore
www.paul-moore.com
--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com
On Monday, October 20, 2014 07:33:39 PM Steve Grubb wrote:
On Monday, October 20, 2014 07:02:33 PM Paul Moore wrote:
On Monday, October 20, 2014 06:47:27 PM Eric Paris wrote:
On Mon, 2014-10-20 at 16:25 -0400, Steve Grubb wrote:
On Thursday, October 02, 2014 11:06:51 PM Richard Guy
;)
Before we go to much farther, I'd really like us to agree that ordering is not
important, can we do that? As a follow up, what do we need to do to make that
happen in the userspace tools?
--
paul moore
security and virtualization @ redhat
--
Linux-audit mailing list
Linux-audit@redhat.com
On Tuesday, October 21, 2014 06:19:52 PM Eric Paris wrote:
On Tue, 2014-10-21 at 17:56 -0400, Paul Moore wrote:
* Change the audit_status.version field comment in
include/uapi/linux/audit.h to /* audit functionality bitmap */, or
similar. We can't really change the structure now
On Wednesday, October 22, 2014 09:19:10 AM Stephen Rothwell wrote:
Hi Paul,
On Tue, 21 Oct 2014 17:00:48 -0400 Paul Moore p...@paul-moore.com wrote:
The audit tree has just changed hands and as a result the git repo has
changed. The new location is:
* git://git.infradead.org/users
On Wednesday, October 22, 2014 10:25:35 AM Steve Grubb wrote:
On Tuesday, October 21, 2014 06:30:24 PM Paul Moore wrote:
This is getting back to my earlier concerns/questions about field
ordering, or at the very least I'm going to hijack this conversation and
steer it towards field ordering
On Wednesday, October 22, 2014 01:56:13 PM Steve Grubb wrote:
On Wednesday, October 22, 2014 11:28:46 AM Paul Moore wrote:
On Wednesday, October 22, 2014 10:25:35 AM Steve Grubb wrote:
On Tuesday, October 21, 2014 06:30:24 PM Paul Moore wrote:
This is getting back to my earlier concerns
On Wednesday, October 22, 2014 03:34:24 PM LC Bruzenak wrote:
On 10/22/2014 03:06 PM, Paul Moore wrote:
But it illustrates the point. There are tools that depend on an
ordering and format. There are more programs that just ausearch that
needs to be considered if the fields change
On Wednesday, October 22, 2014 04:39:49 PM Steve Grubb wrote:
On Wednesday, October 22, 2014 04:06:47 PM Paul Moore wrote:
On Wednesday, October 22, 2014 01:56:13 PM Steve Grubb wrote:
On Wednesday, October 22, 2014 11:28:46 AM Paul Moore wrote:
On Wednesday, October 22, 2014 10:25:35 AM
On Wednesday, October 22, 2014 04:11:08 PM LC Bruzenak wrote:
On 10/22/2014 03:44 PM, Paul Moore wrote:
We haven't changed anything yet, but I strongly believe we need to do away
with field ordering. The good news is that if you explicitly search for
the field instead of relying on a fixed
On Thursday, October 23, 2014 09:19:49 AM LC Bruzenak wrote:
On 10/22/2014 04:29 PM, Paul Moore wrote:
Well, like I said, It's probably safer that way as the code will work
regardless. Time to break bad habits :)
I hear you. But there's working and there's working well.
As long as we
On Wednesday, October 22, 2014 05:18:37 PM Steve Grubb wrote:
On Wednesday, October 22, 2014 05:00:03 PM Paul Moore wrote:
On Wednesday, October 22, 2014 04:39:49 PM Steve Grubb wrote:
Except you can have problems when the event is like this
auid= pid= old uid= new uid= res=
I
(+), 1 deletions(-)
Acked-by: Paul Moore p...@paul-moore.com
diff --git a/kernel/audit.c b/kernel/audit.c
index d20f00f..3a80abb 100644
--- a/kernel/audit.c
+++ b/kernel/audit.c
@@ -724,7 +724,7 @@ static int audit_get_feature(struct sk_buff *skb)
seq = nlmsg_hdr(skb)-nlmsg_seq
-rc2. The patch is currently in the urgent/tip
tree.
* https://www.redhat.com/archives/linux-audit/2014-October/msg00138.html
--
paul moore
www.paul-moore.com
--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit
=, pid);
- audit_log_untrustedstring(ab, tsk-comm);
+ audit_log_untrustedstring(ab,
get_task_comm(comm, tsk));
}
}
break;
--
paul moore
security and virtualization @ redhat
--
Linux
1 - 100 of 2156 matches
Mail list logo