From mboxrd@z Thu Jan  1 00:00:00 1970
From: Richard Guy Briggs <rgb@redhat.com>
Subject: Re: New draft standards
Date: Tue, 15 Dec 2015 00:11:13 -0500
Message-ID: <20151215051113.GC31812@madcap2.tricolour.ca>
References: <3616972.XJnAnOOqWb@x2>
	<CAHC9VhSu1J-Zn15E4u2agzO-B1_V5BzOcX7n9HcVTtbRK-arPA@mail.gmail.com>
	<10524337.222XSUgHvY@x2> <1748716.onoFcfVhek@sifl>
	<1449625417.8064.61.camel@swtf.swtf.dyndns.org>
	<20151210174929.3883529b@ivy-bridge>
	<CAHC9VhSW4=yVaRxRj=VvDmm1YOq_QgXxYB9H=fZHTOa8Y8THow@mail.gmail.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Return-path: <linux-audit-bounces@redhat.com>
Content-Disposition: inline
In-Reply-To: <CAHC9VhSW4=yVaRxRj=VvDmm1YOq_QgXxYB9H=fZHTOa8Y8THow@mail.gmail.com>
List-Unsubscribe: <https://www.redhat.com/mailman/options/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/linux-audit>
List-Post: <mailto:linux-audit@redhat.com>
List-Help: <mailto:linux-audit-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=subscribe>
Sender: linux-audit-bounces@redhat.com
Errors-To: linux-audit-bounces@redhat.com
To: Paul Moore <paul@paul-moore.com>
Cc: linux-audit@redhat.com
List-Id: linux-audit@redhat.com

On 15/12/10, Paul Moore wrote:
> On Thu, Dec 10, 2015 at 5:49 PM, Steve Grubb <sgrubb@redhat.com> wrote:
> > On Wed, 09 Dec 2015 12:43:37 +1100
> > Burn Alting <burn@swtf.dyndns.org> wrote:
> >
> >> Steve,
> >>
> >> Can you mock up some examples of an 'enriched' event showing how it is
> >> different from what we have now.
> >
> > type=LOGIN msg=audit(1449782897.896:2496): pid=1768 uid=0
> > subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 old-auid=4294967295
> > auid=4325 old-ses=4294967295 ses=1 res=1 UID="root" OLD-AUID="unset"
> > AUID="sgrubb"
> >
> > type=SYSCALL msg=audit(1449778741.412:4952): arch=c000003e syscall=40
> > success=no exit=-22 a0=3 a1=0 a2=0 a3=4000 items=0 ppid=7362 pid=7994
> > auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0
> > tty=(none) ses=4294967295 comm="systemd-coredum"
> > exe="/usr/lib/systemd/systemd-coredump"
> > subj=system_u:system_r:init_t:s0 key="einval-retcode" ARCH=x86_64
> > SYSCALL=sendfile AUID="unset" UID="root" GID="root" EUID="root"
> > SUID="root" FSUID="root" EGID="root" SGID="root" FSGID="root"
> 
> This could be confusing on a system with "unset" as a user.

As we do with "none", "(unset)" might be better?

> paul moore

- RGB

--
Richard Guy Briggs <rbriggs@redhat.com>
Senior Software Engineer, Kernel Security, AMER ENG Base Operating Systems, Red Hat
Remote, Ottawa, Canada
Voice: +1.647.777.2635, Internal: (81) 32635, Alt: +1.613.693.0684x3545