[PATCH] audit: add task history record
Paul Moore
paul at paul-moore.com
Thu Aug 24 13:30:10 UTC 2023
On Thu, Aug 24, 2023 at 9:21 AM Tetsuo Handa
<penguin-kernel at i-love.sakura.ne.jp> wrote:
>
> On 2023/08/23 23:48, Paul Moore wrote:
> > We've already discussed this both from a kernel load perspective (it
> > should be able to handle the load, if not that is a separate problem
> > to address) as well as the human perspective (if you want auditing,
> > you need to be able to handle auditing).
>
> No. You haven't shown us audit rules that can satisfy requirements shown below.
>
> (1) Catch _all_ process creations (both via fork()/clone() system calls and
> kthread_create() from the kernel), and duplicate the history upon process
> creation.
Create an audit filter rule to record the syscalls you are interested
in logging.
> (2) Catch _all_ execve(), and update the history upon successful execve().
Create an audit filter rule to record the syscalls you are interested
in logging.
> (3) Catch _all_ process terminations (both exit()/exit_group()/kill() system
> calls and internal reasons such as OOM killer), and erase the history upon
> process termination.
Create an audit filter rule to record the events you are interested in
logging, if there is an event which isn't being recorded feel free to
submit a patch to generate an audit record.
--
paul-moore.com
More information about the Linux-security-module-archive
mailing list