From mboxrd@z Thu Jan 1 00:00:00 1970 From: Steve Grubb Subject: Re: [RFC PATCH ghak59 V1 6/6] audit: extend config_change mark/watch/tree rule changes Date: Fri, 29 Jun 2018 08:31:31 -0400 Message-ID: <4353667.qdjHzgu0KO@x2> References: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7Bit Return-path: In-Reply-To: Sender: linux-kernel-owner@vger.kernel.org To: Paul Moore Cc: rgb@redhat.com, linux-audit@redhat.com, linux-kernel@vger.kernel.org, Eric Paris , aviro@redhat.com List-Id: linux-audit@redhat.com On Thursday, June 28, 2018 6:28:55 PM EDT Paul Moore wrote: > On Thu, Jun 14, 2018 at 4:23 PM Richard Guy Briggs wrote: > > Give a clue as to the source of mark, watch and tree rule changes. > > > > See: https://github.com/linux-audit/audit-kernel/issues/50 > > See: https://github.com/linux-audit/audit-kernel/issues/59 > > Signed-off-by: Richard Guy Briggs > > --- > > kernel/audit.h | 4 ++-- > > kernel/audit_fsnotify.c | 2 +- > > kernel/audit_tree.c | 24 ++++++++++++------------ > > kernel/audit_watch.c | 6 ++++-- > > kernel/auditsc.c | 4 ++-- > > 5 files changed, 21 insertions(+), 19 deletions(-) > > I think having some additional context here would be helpful for > everyone, so I agree with this on principle. However, I think we need > to get clarification from Steve that his parser is able to handle > these richer "op" values. Op fields are not searchable. So, they normally don't matter. But in general, once they are defined, they should not change. For the record, you can generally insert non-searchable fields anywhere and it doesn't matter. Only the searchable fields like loginuid, uid, pid, exe, etc matter to the parser. -Steve