Re: [Linux-ima-user] integrity: Add fowner field into integrity_audit_msg output.

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

Hi Mimi,

> As long as we're making changes, are there any other
> changes needed?   Perhaps an indication as to whether the audit info
> is from the init_user_ns?

I was need only "fowner" in my work as additional info, since I found
all I needed in audit message was already implemented.

> Samples of format changes need to be sent to the audit mailing as
> well.

audit output will look like this (output from my /var/log/audit.log):

Dec 15 15:10:27 totoro kernel: [12912.070841] audit: type=1800 audit(1481803827.825:805): pid=42788 uid=0 auid=1000 ses=3 op="appraise_data" cause="invalid-HMAC" comm="thunar" name="/usr/lib64/qt5/mkspecs/qconfig.pri" fowner=0 dev="dm-1" ino=925675 res=0
Dec 16 17:16:41 totoro kernel: [14605.321665] audit: type=1800 audit(1481897801.780:19459): pid=53087 uid=0 auid=1000 ses=3 op="appraise_data" cause="invalid-signature" comm="evmctl" name="/etc/logcheck/ignore.d.workstation/local_rules" fowner=106 dev="dm-1" ino=264181 res=0

-- 
Best regards,
Mikhail Kurinnoi