[PATCH 0/6][v2] audit: implement multicast socket for journald
Richard Guy Briggs
rgb at redhat.com
Tue Oct 7 04:09:46 UTC 2014
On 14/04/28, Steve Grubb wrote:
> Hello,
>
> Removing people that probably could care less about an audit event...
>
> On Tuesday, April 22, 2014 11:57:55 PM Eric Paris wrote:
> > > Also, shouldn't we have an audit event for every attempt to connect to
> > > this socket? We really need to know where this information is getting
> > > leaked to.
> >
> > We certainly can. What would you like to see in that event?
>
> I think it should be patterned after the other "standalone" kernel audit
> events. We need pid, sesion, uid, auid, subj, comm, exe, and results. The
> event type should be something like AUDIT_EVENT_LISTENER. I am wondering about
> the usefulness of also adding op=connect op=disconnect to bracket the times
> when something else was listening in on audit events.
I assume that order of these is not yet important and that gid should
also be in this list (which will let me use audit_log_task()).
> -Steve
- RGB
--
Richard Guy Briggs <rbriggs at redhat.com>
Senior Software Engineer, Kernel Security, AMER ENG Base Operating Systems, Red Hat
Remote, Ottawa, Canada
Voice: +1.647.777.2635, Internal: (81) 32635, Alt: +1.613.693.0684x3545
More information about the Linux-audit
mailing list