[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <2543770.gFq7b6OZdx@x2>
Date: Thu, 23 Jan 2020 15:11:42 -0500
From: Steve Grubb <sgrubb@...hat.com>
To: linux-audit@...hat.com
Cc: Richard Guy Briggs <rgb@...hat.com>,
Paul Moore <paul@...l-moore.com>,
Eric Paris <eparis@...isplace.org>, nhorman@...hat.com,
LKML <linux-kernel@...r.kernel.org>
Subject: Re: [PATCH ghak28 V4] audit: log audit netlink multicast bind and unbind events
On Thursday, January 23, 2020 11:13:49 AM EST Richard Guy Briggs wrote:
> Steve, can you say why this order should be the standard? From:
> http://people.redhat.com/sgrubb/audit/record-fields.html
The majority of events go down the path of:
pid,uid,auid,ses,subj,op,comm,exe,res
Which lands on the parse_user() function.
If for some reason we really wanted to stay on a "kernel" parser, then I'd
recommend:
auid,uid,ses,subj,pid,comm,exe,op,res
which lands on the parse_kernel_anom() function.
Either of those have complete information and requires no syscall record.
-Steve
> I get:
> SYSCALL/ANOM_LINK/FEATURE_CHANGE
> ppid pid auid uid gid euid suid
> fsuid egid sgid fsgid tty ses comm exe subj
> ANOM_ABEND/SECCOMP
> auid uid gid ses subj pid
> comm exe LOGIN
> pid uid subj old-auid auid tty
> old-ses ses SYSTEM_BOOT/SYSTEM_SHUTDOWN
> pid uid auid ses subj comm exe
> USER_LOGIN
> pid uid auid ses subj uid exe
> DAEMON_START
> auid pid uid ses subj
> DAEMON_CONFIG/DAEMON_END
> auid pid subj
> ANOM_PROMISCUOUS
> auid uid gid ses
> 52msgs
> pid uid auid ses subj *
> CONFIG_CHANGE
> auid ses subj
>
> This new record is:
> EVENT_LISTENER
> pid uid auid tty ses subj comm exe
>
> And using the search criteria following, I get no other matches:
> /pid.*uid.*auid.*tty.*ses.*subj.*comm.*exe
> so this appears to be a new field order.
Powered by blists - more mailing lists