Re: filtering on inode ouid

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Eric Paris <eparis@redhat.com>
To: Peter Moody <auditd@hda3.com>
Cc: linux-audit@redhat.com
Subject: Re: filtering on inode ouid
Date: Tue, 08 Nov 2011 18:17:21 -0500	[thread overview]
Message-ID: <1320794241.10093.48.camel@localhost> (raw)
In-Reply-To: <CADbMJxkQ1waG5CX7Yg_kUjZ6br+tFUWf2M1YUp0Hq8kOJnEV9w@mail.gmail.com>

On Tue, 2011-11-08 at 14:25 -0800, Peter Moody wrote:
> Apologies if this is the wrong list:
> 
> 
> Is it possible to filter on what shows up in the audit logs as the
> ouid of an inode being accessed?
> 
> 
> Alternatively, if I'm only interested in inodes of a particular ouid
> (or more specifically, accesses to an inode of a particular ouid from
> a process with a different uid), is my best bet doing post-audit
> filtering?

I have some patches you are likely to see on this list this week which
implement exactly both of these questions (I'm actually working on my
audit tree right now, I'm about 27 patches deep and probably have a
couple more to go).  Specifically one to allow audit on ouid and onto to
allow audit on uid != ouid or uid == ouid.

-Eric

next prev parent reply	other threads:[~2011-11-08 23:17 UTC|newest]

Thread overview: 4+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2011-11-08 22:25 filtering on inode ouid Peter Moody
2011-11-08 23:17 ` Eric Paris [this message]
2011-11-09  0:07   ` Peter Moody
2011-11-09 19:42   ` Peter Moody

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=1320794241.10093.48.camel@localhost \
    --to=eparis@redhat.com \
    --cc=auditd@hda3.com \
    --cc=linux-audit@redhat.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.