[PATCH] audit: add task history record
Steve Grubb
sgrubb at redhat.com
Thu Aug 24 15:55:31 UTC 2023
Hello Paul,
On Thursday, August 24, 2023 9:30:10 AM EDT Paul Moore wrote:
> On Thu, Aug 24, 2023 at 9:21 AM Tetsuo Handa
> <penguin-kernel at i-love.sakura.ne.jp> wrote:
> > On 2023/08/23 23:48, Paul Moore wrote:
> > > We've already discussed this both from a kernel load perspective (it
> > > should be able to handle the load, if not that is a separate problem
> > > to address) as well as the human perspective (if you want auditing,
> > > you need to be able to handle auditing).
> >
> > No. You haven't shown us audit rules that can satisfy requirements shown
> > below.>
> > (1) Catch _all_ process creations (both via fork()/clone() system calls
> > and kthread_create() from the kernel), and duplicate the history upon
> > process creation.
>
> Create an audit filter rule to record the syscalls you are interested
> in logging.
>
> > (2) Catch _all_ execve(), and update the history upon successful
> > execve().
>
> Create an audit filter rule to record the syscalls you are interested
> in logging.
>
> > (3) Catch _all_ process terminations (both exit()/exit_group()/kill()
> > system calls and internal reasons such as OOM killer), and erase the
> > history upon process termination.
>
> Create an audit filter rule to record the events you are interested in
> logging, if there is an event which isn't being recorded feel free to
> submit a patch to generate an audit record.
I'm not for or against this or a similar patch. The information Tetsuo is
looking for cannot be recreated from logs. What if it were a daemon that's
been running for a year? With the amount of data you are suggesting to log,
it would have rotated away months ago. To log all of the system calls you
mention would be abusive of the audit system, hurt performance, wear out SSD
drives, and ultimately fail.
There may be other reasons you don't like the patch and that's fine. But
saying it can be done from user space after the fact is not helpful.
-Steve
More information about the Linux-security-module-archive
mailing list