Hilko Bengen
Hilko Bengen
Process information should not only be included for `SYSCALL.ppid` but also for - `OBJ_PID.opid` - `SYSCALL.pid`, not duplicating `exe` and `comm`, only including the generating messge id - `pid` as...
From observation: Executing scripts (using a `#!` line) produces a slightly different set of event records than executing an ELF binary: When running scripts, `SYSCALL.exe` contains the interpreter (`/bin/bash`, `/bin/sh`,...
go-audit enriches its event with a `uid_map` table, so container's inside view of the user_namespace can be seen, cf. #98. Not quite sure how to implemen this yet.
So far, Laure's mode of operation has been pretty linear: Reaad auditd record from stdin, parse, coalesce, transform, enrich, output, repeat. Any extra I/O it had to do had to...
The following bits of information require talking to a container runtime. They require #97 to be resolved. - image - name - pod_uid - pod_name - pod_namespace
Hi, I believe that most (if not all) options that can be queried and set using the interface provided by `forge_socket` are exposed by the TCP_REPAIR feature that was introduced...
Hi, I have ported the fork available under (which also contains legacy ZIP encryption support) onto `archive/zip` as shipped with Go 1.12.7. The cause (and main improvement as I see...
These seem to have been introduced in a patchset "LSM: Module stacking for AppArmor" () that has not been merged upstream yet.
Inspired by discussion in #126, thanks to @zdiff