filtering on inode ouid

filtering on inode ouid

[Peter Moody]

[-- Attachment #1.1: Type: text/plain, Size: 369 bytes --]

Apologies if this is the wrong list:

Is it possible to filter on what shows up in the audit logs as the ouid of
an inode being accessed?

Alternatively, if I'm only interested in inodes of a particular ouid (or
more specifically, accesses to an inode of a particular ouid from a process
with a different uid), is my best bet doing post-audit filtering?

cheers,
peter

[-- Attachment #1.2: Type: text/html, Size: 523 bytes --]

[-- Attachment #2: Type: text/plain, Size: 0 bytes --]

Re: filtering on inode ouid

[Eric Paris]

On Tue, 2011-11-08 at 14:25 -0800, Peter Moody wrote:
> Apologies if this is the wrong list:
> 
> 
> Is it possible to filter on what shows up in the audit logs as the
> ouid of an inode being accessed?
> 
> 
> Alternatively, if I'm only interested in inodes of a particular ouid
> (or more specifically, accesses to an inode of a particular ouid from
> a process with a different uid), is my best bet doing post-audit
> filtering?

I have some patches you are likely to see on this list this week which
implement exactly both of these questions (I'm actually working on my
audit tree right now, I'm about 27 patches deep and probably have a
couple more to go).  Specifically one to allow audit on ouid and onto to
allow audit on uid != ouid or uid == ouid.

-Eric

Re: filtering on inode ouid

[Peter Moody]

[-- Attachment #1.1: Type: text/plain, Size: 932 bytes --]

On Tue, Nov 8, 2011 at 3:17 PM, Eric Paris <eparis@redhat.com> wrote:

> On Tue, 2011-11-08 at 14:25 -0800, Peter Moody wrote:
> > Apologies if this is the wrong list:
> >
> >
> > Is it possible to filter on what shows up in the audit logs as the
> > ouid of an inode being accessed?
> >
> >
> > Alternatively, if I'm only interested in inodes of a particular ouid
> > (or more specifically, accesses to an inode of a particular ouid from
> > a process with a different uid), is my best bet doing post-audit
> > filtering?
>
> I have some patches you are likely to see on this list this week which
> implement exactly both of these questions (I'm actually working on my
> audit tree right now, I'm about 27 patches deep and probably have a
> couple more to go).  Specifically one to allow audit on ouid and onto to
> allow audit on uid != ouid or uid == ouid.
>

Excellent, I'm looking forward to it!

Cheers,
peter


> -Eric
>
>
>

[-- Attachment #1.2: Type: text/html, Size: 1548 bytes --]

[-- Attachment #2: Type: text/plain, Size: 0 bytes --]

Re: filtering on inode ouid

[Peter Moody]

[-- Attachment #1.1: Type: text/plain, Size: 949 bytes --]

On Tue, Nov 8, 2011 at 3:17 PM, Eric Paris <eparis@redhat.com> wrote:

> On Tue, 2011-11-08 at 14:25 -0800, Peter Moody wrote:
> > Apologies if this is the wrong list:
> >
> >
> > Is it possible to filter on what shows up in the audit logs as the
> > ouid of an inode being accessed?
> >
> >
> > Alternatively, if I'm only interested in inodes of a particular ouid
> > (or more specifically, accesses to an inode of a particular ouid from
> > a process with a different uid), is my best bet doing post-audit
> > filtering?
>
> I have some patches you are likely to see on this list this week which
> implement exactly both of these questions (I'm actually working on my
> audit tree right now, I'm about 27 patches deep and probably have a
> couple more to go).  Specifically one to allow audit on ouid and onto to
> allow audit on uid != ouid or uid == ouid.
>

Out of curiosity, these are both kernel and userland patches, right?


>  -Eric
>
>
>

[-- Attachment #1.2: Type: text/html, Size: 1517 bytes --]

[-- Attachment #2: Type: text/plain, Size: 0 bytes --]