From mboxrd@z Thu Jan  1 00:00:00 1970
From: Steve Grubb <sgrubb@redhat.com>
Subject: Re: [PATCH 0/6][v2] audit: implement multicast socket for journald
Date: Mon, 28 Apr 2014 18:08:55 -0400
Message-ID: <4319780.ABUmAV9CjH@x2>
References: <20140422.161904.1187535812839850973.davem@davemloft.net>
	<26389161.vp9iWSVLPX@x2> <1398225475.750.7.camel@localhost>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Return-path: <linux-audit-bounces@redhat.com>
In-Reply-To: <1398225475.750.7.camel@localhost>
List-Unsubscribe: <https://www.redhat.com/mailman/options/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/linux-audit>
List-Post: <mailto:linux-audit@redhat.com>
List-Help: <mailto:linux-audit-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=subscribe>
Sender: linux-audit-bounces@redhat.com
Errors-To: linux-audit-bounces@redhat.com
To: Eric Paris <eparis@redhat.com>
Cc: Richard Guy Briggs <rgb@redhat.com>, linux-audit@redhat.com
List-Id: linux-audit@redhat.com

Hello,

Removing people that probably could care less about an audit event...

On Tuesday, April 22, 2014 11:57:55 PM Eric Paris wrote:
> > Also, shouldn't we have an audit event for every attempt to connect to
> > this  socket? We really need to know where this information is getting
> > leaked to.
>
> We certainly can.  What would you like to see in that event?

I think it should be patterned after the other "standalone" kernel audit 
events. We need pid, sesion, uid, auid, subj, comm, exe, and results. The 
event type should be something like AUDIT_EVENT_LISTENER. I am wondering about 
the usefulness of also adding op=connect op=disconnect to bracket the times 
when something else was listening in on audit events.

-Steve