From mboxrd@z Thu Jan  1 00:00:00 1970
From: Eric Paris <eparis@redhat.com>
Subject: Re: filtering on inode ouid
Date: Tue, 08 Nov 2011 18:17:21 -0500
Message-ID: <1320794241.10093.48.camel@localhost>
References: <CADbMJxkQ1waG5CX7Yg_kUjZ6br+tFUWf2M1YUp0Hq8kOJnEV9w@mail.gmail.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Return-path: <linux-audit-bounces@redhat.com>
In-Reply-To: <CADbMJxkQ1waG5CX7Yg_kUjZ6br+tFUWf2M1YUp0Hq8kOJnEV9w@mail.gmail.com>
List-Unsubscribe: <https://www.redhat.com/mailman/options/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/linux-audit>
List-Post: <mailto:linux-audit@redhat.com>
List-Help: <mailto:linux-audit-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=subscribe>
Sender: linux-audit-bounces@redhat.com
Errors-To: linux-audit-bounces@redhat.com
To: Peter Moody <auditd@hda3.com>
Cc: linux-audit@redhat.com
List-Id: linux-audit@redhat.com

On Tue, 2011-11-08 at 14:25 -0800, Peter Moody wrote:
> Apologies if this is the wrong list:
> 
> 
> Is it possible to filter on what shows up in the audit logs as the
> ouid of an inode being accessed?
> 
> 
> Alternatively, if I'm only interested in inodes of a particular ouid
> (or more specifically, accesses to an inode of a particular ouid from
> a process with a different uid), is my best bet doing post-audit
> filtering?

I have some patches you are likely to see on this list this week which
implement exactly both of these questions (I'm actually working on my
audit tree right now, I'm about 27 patches deep and probably have a
couple more to go).  Specifically one to allow audit on ouid and onto to
allow audit on uid != ouid or uid == ouid.

-Eric