From: Steve Grubb <sgrubb@redhat.com>
To: linux-audit@redhat.com
Subject: Re: [PATCH] userspace: audit: ausearch doesn't return entries for AppArmor events that exist in the log
Date: Fri, 29 Apr 2016 09:39:04 -0400 [thread overview]
Message-ID: <20888678.3grpTmsTEK@x2> (raw)
In-Reply-To: <CAPNCXk2XY+bD6t7ZqkmE-Am24KqPw_6wraUc=6MhaRF7BZQ-cg@mail.gmail.com>
On Friday, April 29, 2016 10:03:02 AM Vincas Dargis wrote:
> There was email about fixing ausearch for AppArmor:
>
> https://www.redhat.com/archives/linux-audit/2014-May/msg00094.html
>
> Is there any progress regarding that issue?
You'll have to ask the AppArmor folks. I gave them a whole block of numbers to
use for their own purposes so that we don't have any problems. If they instead
create malformed SE Linux events, then things will never work right unless
they patch them. I don't plan to carry a patch in the main utility because it
completely violates all audit assumptions.
The main rule is that all audit records of the same type have to have the
exact same fields, in the same order, with the same format or no one can
analyze the events. You have to think of each record as a database table. Each
record is a row, each field is a column.
> I have tried to search for AVC on Debian Testing (auditd 2.4.5), and
> it fails to "grep" me AppArmor related events.
>
> P.S. How do I actually reply to original thread that I did not
> received, since I just subscribed? I though I could maybe find raw
> message in archive https://www.redhat.com/archives/linux-audit/ but
> there aren't (no such message in 2014-May/Jun gz) . Oh how I hate
> using mailing lists so much... /rant.
Just start a new one. Why worry?
-Steve
next prev parent reply other threads:[~2016-04-29 13:39 UTC|newest]
Thread overview: 23+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-04-29 7:03 [PATCH] userspace: audit: ausearch doesn't return entries for AppArmor events that exist in the log Vincas Dargis
2016-04-29 13:39 ` Steve Grubb [this message]
2016-04-29 16:07 ` Vincas Dargis
2016-04-29 16:30 ` Steve Grubb
2016-05-02 21:18 ` Paul Moore
2016-04-29 15:41 ` Richard Guy Briggs
2016-04-29 16:58 ` Vincas Dargis
-- strict thread matches above, loose matches on Subject: below --
2014-05-28 22:33 Tony Jones
2014-05-29 8:31 ` Tyler Hicks
2014-05-29 15:01 ` Steve Grubb
2014-05-29 15:15 ` Tyler Hicks
2014-06-03 1:00 ` Tony Jones
2014-06-03 14:47 ` Steve Grubb
2014-06-03 16:34 ` Tony Jones
2014-05-29 15:21 ` Tyler Hicks
2014-05-30 19:53 ` Steve Grubb
2014-05-30 20:16 ` Tyler Hicks
2014-05-30 21:00 ` Steve Grubb
2014-05-31 0:01 ` Tony Jones
2014-06-06 18:46 ` Tyler Hicks
2014-06-06 21:10 ` Tyler Hicks
2014-06-24 0:06 ` Tony Jones
2014-06-24 15:34 ` Eric Paris
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20888678.3grpTmsTEK@x2 \
--to=sgrubb@redhat.com \
--cc=linux-audit@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox