Re: [Linux-ima-user] integrity: Add fowner field into integrity_audit_msg output.

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

On Fri, 2016-12-16 at 19:36 +0300, Mikhail Kurinnoi wrote:
> Hi Mimi,
> 
> > As long as we're making changes, are there any other
> > changes needed?   Perhaps an indication as to whether the audit info
> > is from the init_user_ns?
> 
> I was need only "fowner" in my work as additional info, since I found
> all I needed in audit message was already implemented.

That's great!  Before making this change,  I was hoping others would
join this discussion as well.

Mimi

> > Samples of format changes need to be sent to the audit mailing as
> > well.
> 
> audit output will look like this (output from my /var/log/audit.log):
> 
> Dec 15 15:10:27 totoro kernel: [12912.070841] audit: type=1800
> audit(1481803827.825:805): pid=42788 uid=0 auid=1000 ses=3
> op="appraise_data" cause="invalid-HMAC" comm="thunar"
> name="/usr/lib64/qt5/mkspecs/qconfig.pri" fowner=0 dev="dm-1"
> ino=925675 res=0
> Dec 16 17:16:41 totoro kernel: [14605.321665] audit: type=1800
> audit(1481897801.780:19459): pid=53087 uid=0 auid=1000 ses=3
> op="appraise_data" cause="invalid-signature" comm="evmctl"
> name="/etc/logcheck/ignore.d.workstation/local_rules" fowner=106
> dev="dm-1" ino=264181 res=0