[RFC PATCH 2/9] audit, io_uring, io-wq: add some basic audit support to io_uring
sgrubb at redhat.com
Wed May 26 15:11:50 UTC 2021
On Wednesday, May 26, 2021 10:38:38 AM EDT Paul Moore wrote:
> > > We would need to check with the current security requirements (there
> > > are distro people on the linux-audit list that keep track of that
> > > stuff),
The requirements generally care about resource access. File open, connect,
accept, etc. We don't care about read/write itself as that would flood the
> > > but looking at the opcodes right now my gut feeling is that
> > > most of the opcodes would be considered "security relevant" so
> > > selective auditing might not be that useful in practice.
I'd say maybe a quarter to a third look interesting.
> > > It would
> > > definitely clutter the code and increase the chances that new opcodes
> > > would not be properly audited when they are merged.
There is that...
> > I'm curious, why it's enabled by many distros by default? Are there
> > use cases they use?
> We've already talked about certain users and environments where audit
> is an important requirement, e.g. public sector, health care,
> financial institutions, etc.; without audit Linux wouldn't be an
> option for these users,
People that care about auditing are under regulatory mandates. They care more
about the audit event than the performance. Imagine you have a system with
some brand new medical discovery. You want to know anyone who accesses the
information in case it gets leaked out. You don't care how slow the system
gets - you simply *have* to know everyone who's looked at the documents.
More information about the Linux-security-module-archive