[PATCH] audit: add task history record

Paul Moore paul at paul-moore.com
Thu Aug 24 13:30:10 UTC 2023


On Thu, Aug 24, 2023 at 9:21 AM Tetsuo Handa
<penguin-kernel at i-love.sakura.ne.jp> wrote:
>
> On 2023/08/23 23:48, Paul Moore wrote:
> > We've already discussed this both from a kernel load perspective (it
> > should be able to handle the load, if not that is a separate problem
> > to address) as well as the human perspective (if you want auditing,
> > you need to be able to handle auditing).
>
> No. You haven't shown us audit rules that can satisfy requirements shown below.
>
>   (1) Catch _all_ process creations (both via fork()/clone() system calls and
>       kthread_create() from the kernel), and duplicate the history upon process
>       creation.

Create an audit filter rule to record the syscalls you are interested
in logging.

>   (2) Catch _all_ execve(), and update the history upon successful execve().

Create an audit filter rule to record the syscalls you are interested
in logging.

>   (3) Catch _all_ process terminations (both exit()/exit_group()/kill() system
>       calls and internal reasons such as OOM killer), and erase the history upon
>       process termination.

Create an audit filter rule to record the events you are interested in
logging, if there is an event which isn't being recorded feel free to
submit a patch to generate an audit record.

-- 
paul-moore.com



More information about the Linux-security-module-archive mailing list