From mboxrd@z Thu Jan  1 00:00:00 1970
From: Marcelo Cerri <mhcerri@linux.vnet.ibm.com>
Subject: Re: [PATCH] auvirt: a new tool for reporting events related to virtual
	machines
Date: Tue, 24 Jan 2012 16:08:56 -0200
Message-ID: <4F1EF3B8.5080303@linux.vnet.ibm.com>
References: <1323964611-30053-1-git-send-email-mhcerri@linux.vnet.ibm.com>
	<201112201318.16636.sgrubb@redhat.com>
	<4F05D389.8090808@linux.vnet.ibm.com>
	<201201111620.06515.sgrubb@redhat.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"; Format="flowed"
Content-Transfer-Encoding: 7bit
Return-path: <linux-audit-bounces@redhat.com>
Received: from mx1.redhat.com (ext-mx12.extmail.prod.ext.phx2.redhat.com
	[10.5.110.17])
	by int-mx01.intmail.prod.int.phx2.redhat.com (8.13.8/8.13.8) with ESMTP
	id q0OI93qN030404
	for <linux-audit@redhat.com>; Tue, 24 Jan 2012 13:09:03 -0500
Received: from e24smtp01.br.ibm.com (e24smtp01.br.ibm.com [32.104.18.85])
	by mx1.redhat.com (8.14.4/8.14.4) with ESMTP id q0OI92c1006766
	for <linux-audit@redhat.com>; Tue, 24 Jan 2012 13:09:02 -0500
Received: from /spool/local
	by e24smtp01.br.ibm.com with IBM ESMTP SMTP Gateway: Authorized Use
	Only! Violators will be prosecuted
	for <linux-audit@redhat.com> from <mhcerri@linux.vnet.ibm.com>;
	Tue, 24 Jan 2012 16:09:01 -0200
In-Reply-To: <201201111620.06515.sgrubb@redhat.com>
List-Unsubscribe: <https://www.redhat.com/mailman/options/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/linux-audit>
List-Post: <mailto:linux-audit@redhat.com>
List-Help: <mailto:linux-audit-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=subscribe>
Sender: linux-audit-bounces@redhat.com
Errors-To: linux-audit-bounces@redhat.com
To: Steve Grubb <sgrubb@redhat.com>
Cc: linux-audit@redhat.com, gcwilson@us.ibm.com, bryntcor@us.ibm.com
List-Id: linux-audit@redhat.com

I took a look at some anomaly events and I'm thinking to correlate them 
to guests based on the SELinux context or maybe based on the pid field.

Do you think there is another ways to correlate them?

Regards,
Marcelo

On 01/11/2012 07:20 PM, Steve Grubb wrote:
> On Thursday, January 05, 2012 11:44:57 AM Marcelo Cerri wrote:
>> But I'm not sure what means "anomaly events". Would it be malformed
>> records (without some fields, for example) or a specific record type
>> generated by the kernel or some other userspace application?
> No, these are events in the range of AUDIT_FIRST_ANOM_MSG and
> AUDIT_LAST_ANOM_MSG and some from the kernel in the range of
> AUDIT_FIRST_KERN_ANOM_MSG and AUDIT_LAST_KERN_ANOM_MSG.
>
> -Steve
>