filtering on inode ouid
Peter Moody
auditd at hda3.com
Wed Nov 9 00:07:57 UTC 2011
On Tue, Nov 8, 2011 at 3:17 PM, Eric Paris <eparis at redhat.com> wrote:
> On Tue, 2011-11-08 at 14:25 -0800, Peter Moody wrote:
> > Apologies if this is the wrong list:
> >
> >
> > Is it possible to filter on what shows up in the audit logs as the
> > ouid of an inode being accessed?
> >
> >
> > Alternatively, if I'm only interested in inodes of a particular ouid
> > (or more specifically, accesses to an inode of a particular ouid from
> > a process with a different uid), is my best bet doing post-audit
> > filtering?
>
> I have some patches you are likely to see on this list this week which
> implement exactly both of these questions (I'm actually working on my
> audit tree right now, I'm about 27 patches deep and probably have a
> couple more to go). Specifically one to allow audit on ouid and onto to
> allow audit on uid != ouid or uid == ouid.
>
Excellent, I'm looking forward to it!
Cheers,
peter
> -Eric
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/linux-audit/attachments/20111108/e471cf26/attachment.htm>
More information about the Linux-audit
mailing list