[PATCH] audit: add task history record
Tetsuo Handa
penguin-kernel at I-love.SAKURA.ne.jp
Fri Aug 18 10:29:52 UTC 2023
On 2023/08/16 22:53, Paul Moore wrote:
> On Wed, Aug 16, 2023 at 6:10 AM Tetsuo Handa
> <penguin-kernel at i-love.sakura.ne.jp> wrote:
>> On 2023/08/16 3:44, Paul Moore wrote:
>>> On Fri, Aug 11, 2023 at 6:58 AM Tetsuo Handa
>>> <penguin-kernel at i-love.sakura.ne.jp> wrote:
>>>>
>>>> When an unexpected system event occurs, the administrator may want to
>>>> identify which application triggered the event. For example, unexpected
>>>> process termination is still a real concern enough to write articles
>>>> like https://access.redhat.com/solutions/165993 .
>>>>
>>>> This patch adds a record which emits TOMOYO-like task history information
>>>> into the audit logs for better understanding of unexpected system events.
>>>>
>>>> type=UNKNOWN[1340] msg=audit(1691750738.271:108): history="name=swapper/0;pid=1;start=20230811194329=>name=init;pid=1;start=20230811194343=>name=systemd;pid=1;start=20230811194439=>name=sshd;pid=3660;start=20230811104504=>name=sshd;pid=3767;start=20230811104535"
>>>
>>> While I respect your persistence, we've talked about this quite a bit
>>> already in other threads. What you are trying to do is already
>>> possible with audit
>>
>> How?
>
> If you configure audit to record exec() and friends you should have a
> proper history of the processes started on the system.
That is a "No LSM modules other than SELinux is needed because SELinux can do
everything" assertion. People propose different approaches/implementations because
they can't afford utilizing/configuring existing approaches/implementations.
Your assertion is a fatal problem for merging "Re: [PATCH v13 00/11] LSM: Three basic syscalls"
at https://lkml.kernel.org/r/CAHC9VhQ4ttkSLTBCrXNZSBR1FP9UZ_gUHmo0BS37LCdyBmUeyA@mail.gmail.com .
Please please allow LSM modules like https://lkml.kernel.org/r/41d03271-ff8a-9888-11de-a7f53da47328@I-love.SAKURA.ne.jp
to obtain a stable LSM ID if you don't want to support something that possibly have an alternative.
More information about the Linux-security-module-archive
mailing list