Re: [PATCH] audit: add task history record
Hello Paul,
On Thursday, August 24, 2023 9:30:10 AM EDT Paul Moore wrote:
On Thu, Aug 24, 2023 at 9:21 AM Tetsuo Handa
<penguin-kernel(a)i-love.sakura.ne.jp> wrote:
> On 2023/08/23 23:48, Paul Moore wrote:
> > We've already discussed this both from a kernel load perspective (it
> > should be able to handle the load, if not that is a separate problem
> > to address) as well as the human perspective (if you want auditing,
> > you need to be able to handle auditing).
>
> No. You haven't shown us audit rules that can satisfy requirements shown
> below.>
> (1) Catch _all_ process creations (both via fork()/clone() system calls
> and kthread_create() from the kernel), and duplicate the history upon
> process creation.
Create an audit filter rule to record the syscalls you are interested
in logging.
> (2) Catch _all_ execve(), and update the history upon successful
> execve().
Create an audit filter rule to record the syscalls you are interested
in logging.
> (3) Catch _all_ process terminations (both exit()/exit_group()/kill()
> system calls and internal reasons such as OOM killer), and erase the
> history upon process termination.
Create an audit filter rule to record the events you are interested in
logging, if there is an event which isn't being recorded feel free to
submit a patch to generate an audit record.
I'm not for or against this or a similar patch. The information Tetsuo is
looking for cannot be recreated from logs. What if it were a daemon that's
been running for a year? With the amount of data you are suggesting to log,
it would have rotated away months ago. To log all of the system calls you
mention would be abusive of the audit system, hurt performance, wear out SSD
drives, and ultimately fail.
There may be other reasons you don't like the patch and that's fine. But
saying it can be done from user space after the fact is not helpful.
-Steve