[PATCH] audit: add task history record
Steve Grubb
sgrubb at redhat.com
Tue Aug 22 16:29:28 UTC 2023
On Wednesday, August 16, 2023 9:53:58 AM EDT Paul Moore wrote:
> On Wed, Aug 16, 2023 at 6:10 AM Tetsuo Handa
> <penguin-kernel at i-love.sakura.ne.jp> wrote:
> > On 2023/08/16 3:44, Paul Moore wrote:
> > > On Fri, Aug 11, 2023 at 6:58 AM Tetsuo Handa
> > > <penguin-kernel at i-love.sakura.ne.jp> wrote:
> > >> When an unexpected system event occurs, the administrator may want to
> > >> identify which application triggered the event. For example,
> > >> unexpected process termination is still a real concern enough to write
> > >> articles like https://access.redhat.com/solutions/165993 .
> > >>
> > >> This patch adds a record which emits TOMOYO-like task history
> > >> information into the audit logs for better understanding of unexpected
> > >> system events.
> > >>
> > >> type=UNKNOWN[1340] msg=audit(1691750738.271:108):
> > >> history="name=swapper/0;pid=1;start=20230811194329=>name=init;pid=1;s
> > >> tart=20230811194343=>name=systemd;pid=1;start=20230811194439=>name=ssh
> > >> d;pid=3660;start=20230811104504=>name=sshd;pid=3767;start=202308111045
> > >> 35"
> > >
> > > While I respect your persistence, we've talked about this quite a bit
> > > already in other threads. What you are trying to do is already
> > > possible with audit
> >
> > How?
>
> If you configure audit to record exec() and friends you should have a
> proper history of the processes started on the system.
This is not a practical solution. Yes, technically this could be done. But it
would be a huge burden on the system to keep up with this. And it would bury
events you truly wanted to see effectively DoS'ing the audit system.
-Steve
More information about the Linux-security-module-archive
mailing list