[PATCH] audit: add task history record

Paul Moore paul at paul-moore.com
Fri Aug 25 03:36:43 UTC 2023


On August 24, 2023 6:24:47 PM Tetsuo Handa 
<penguin-kernel at I-love.SAKURA.ne.jp> wrote:
> On 2023/08/24 23:26, Paul Moore wrote:
>> On Thu, Aug 24, 2023 at 9:47 AM Tetsuo Handa
>> <penguin-kernel at i-love.sakura.ne.jp> wrote:
>>> On 2023/08/24 22:39, Tetsuo Handa wrote:
>>>>>> (1) Catch _all_ process creations (both via fork()/clone() system calls and
>>>>>>  kthread_create() from the kernel), and duplicate the history upon process
>>>>>>  creation.
>>>>>
>>>>> Create an audit filter rule to record the syscalls you are interested
>>>>> in logging.
>>>>
>>>> I can't interpret what you are talking about. Please show me using command 
>>>> line.
>>>
>>> I'm not interested in logging the syscalls just for maintaining process history
>>> information.
>>
>> That's unfortunate because I'm not interested in merging your patch
>> when we already have an audit log which can be used to trace process
>> history information.
>
> It is unfortunate that you continue ignoring the
>
>  How can auditd generate logs that are not triggered via syscalls?
>
> line. I know how to configure syscall rules using "-S" option. But I do
> not know how to configure non syscall rules (such as process creation via
> kthread_create(), process termination due to tty hangup or OOM killer).

At this point you've exhausted my goodwill so I would suggest simply 
reading the audit code, manages, and experimenting with a running system to 
understand how things work, especially for non-syscall records.

> I repeat:
>
>  The auditd is not capable of generating _all_ records needed for maintaining
>  this information.
>
>  The logs generated via system call auditing is just an example user
>  of this information.

I repeat:

If you find a place in the code where you believe there should be an audit 
record, post a patch and we can discuss it.

--
paul-moore.com





More information about the Linux-security-module-archive mailing list