[PATCH] auvirt: a new tool for reporting events related to virtual machines
Marcelo Cerri
mhcerri at linux.vnet.ibm.com
Tue Jan 24 18:08:56 UTC 2012
I took a look at some anomaly events and I'm thinking to correlate them
to guests based on the SELinux context or maybe based on the pid field.
Do you think there is another ways to correlate them?
Regards,
Marcelo
On 01/11/2012 07:20 PM, Steve Grubb wrote:
> On Thursday, January 05, 2012 11:44:57 AM Marcelo Cerri wrote:
>> But I'm not sure what means "anomaly events". Would it be malformed
>> records (without some fields, for example) or a specific record type
>> generated by the kernel or some other userspace application?
> No, these are events in the range of AUDIT_FIRST_ANOM_MSG and
> AUDIT_LAST_ANOM_MSG and some from the kernel in the range of
> AUDIT_FIRST_KERN_ANOM_MSG and AUDIT_LAST_KERN_ANOM_MSG.
>
> -Steve
>
More information about the Linux-audit
mailing list