AUDIT_NETFILTER_PKT message format
Richard Guy Briggs
rgb at redhat.com
Fri Feb 17 02:24:56 UTC 2017
On 2017-02-16 20:57, Paul Moore wrote:
> [NOTE: I'll respond back to the other part of your email later but I'm
> running out of time in the day and this was a quick but important
> response]
>
> On Thu, Feb 16, 2017 at 5:36 PM, Richard Guy Briggs <rgb at redhat.com> wrote:
> > Steve has requested the subject attributes which prefixes 7 fields.
>
> I already commented on this earlier in this thread - or some other
> related thread, I've lost track, but both you and Steve were on the
> To/CC line - last time I checked, you can't reliably link packets to
> the sender/subject in the netfilter hooks (I'll be shocked if this has
> changed). The best you can do in some cases is to link the packet to
> the socket, and that isn't going to help you.
Ok, thanks for this clarification. Maybe I'm mis-remembering what user
information is available in software interrupts rather than user
context. This will need more investigation...
> paul moore
- RGB
--
Richard Guy Briggs <rgb at redhat.com>
Kernel Security Engineering, Base Operating Systems, Red Hat
Remote, Ottawa, Canada
Voice: +1.647.777.2635, Internal: (81) 32635
More information about the Linux-audit
mailing list