[PATCH] audit: add task history record
Paul Moore
paul at paul-moore.com
Thu Aug 24 14:24:35 UTC 2023
On Thu, Aug 24, 2023 at 9:39 AM Tetsuo Handa
<penguin-kernel at i-love.sakura.ne.jp> wrote:
> On 2023/08/24 22:30, Paul Moore wrote:
> > On Thu, Aug 24, 2023 at 9:21 AM Tetsuo Handa
> > <penguin-kernel at i-love.sakura.ne.jp> wrote:
> >>
> >> On 2023/08/23 23:48, Paul Moore wrote:
> >>> We've already discussed this both from a kernel load perspective (it
> >>> should be able to handle the load, if not that is a separate problem
> >>> to address) as well as the human perspective (if you want auditing,
> >>> you need to be able to handle auditing).
> >>
> >> No. You haven't shown us audit rules that can satisfy requirements shown below.
> >>
> >> (1) Catch _all_ process creations (both via fork()/clone() system calls and
> >> kthread_create() from the kernel), and duplicate the history upon process
> >> creation.
> >
> > Create an audit filter rule to record the syscalls you are interested
> > in logging.
>
> I can't interpret what you are talking about. Please show me using command line.
I'm sorry Tetsuo, but I've already spent far too much time going in
circles with you on this topic. As you are capable of submitting
kernel patches, you should be capable of reading a manpage and
experimenting yourself:
https://man7.org/linux/man-pages/man8/auditctl.8.html
--
paul-moore.com
More information about the Linux-security-module-archive
mailing list