[PATCH RESEND 2/2] selinux: provide matching audit timestamp in the AVC trace event
Paul Moore
paul at paul-moore.com
Mon Dec 19 22:20:50 UTC 2022
On Mon, Dec 19, 2022 at 1:00 PM Ondrej Mosnacek <omosnace at redhat.com> wrote:
>
> In order to make it possible for the users and tooling to associate an
> SELinux AVC trace event with the corresponding audit event, make it
> include the audit timestamp (including the "serial number") of the
> event.
>
> First make audit_log_start() include the timestamp in the audit_buffer
> struct and add a public helper to retrieve it from an audit_buffer
> instance. Then retrieve it in SELinux's avc_audit_post_callback() and
> include it in the "avc:selinux_audited" trace event.
>
> After this patch the even includes the numeric fields that make up the
> timestamp and the text representation includes the timestamp in the same
> format as used in the audit log - e.g. "audit_ts=1671454430.092:1671".
>
> Signed-off-by: Ondrej Mosnacek <omosnace at redhat.com>
> ---
> include/linux/audit.h | 8 ++++++++
> include/trace/events/avc.h | 25 +++++++++++++++++--------
> kernel/audit.c | 15 +++++++++++----
> security/selinux/avc.c | 4 +++-
> 4 files changed, 39 insertions(+), 13 deletions(-)
I'm not really liking the idea of exposing the audit timestamp for use
in other subsystems, even if it is just for use in a trace event. I
generally take the approach that audit's charter is to capture and log
security relevant events to userspace where admins and security
officers can use the events to help meet their security goals. While
audit may have some value to developers as a debugging tool, that is
not its primary purpose, and at this point in time I'm not supportive
of adding additional burdens to the audit subsystem to support a
debugging use case (I view exporting and maintaining a proper
timestamp value/struct an additional requirement on the audit
subsystem).
--
paul-moore.com
More information about the Linux-security-module-archive
mailing list