Re: [PATCH] audit: add task history record

When an unexpected system event occurs, the administrator may want to identify which application triggered the event. For example, unexpected process termination is still a real concern enough to write articles like https://access.redhat.com/solutions/165993 . This patch adds a record which emits TOMOYO-like task history information into the audit logs for better understanding of unexpected system events. type=UNKNOWN[1340] msg=audit(1691750738.271:108): history="name=swapper/0;pid=1;start=20230811194329=>name=init;pid=1;start=20230811194343=>name=systemd;pid=1;start=20230811194439=>name=sshd;pid=3660;start=20230811104504=>name=sshd;pid=3767;start=20230811104535"

To be able to avoid bloating audit log files due to this information, this patch uses audit_history= kernel command line parameter that controls max length of history in bytes (default is 1024, and setting to 0 disables recording and emitting). Unlike execve()'s argv record, records in this history information is emitted as one string in order to reduce bloat of the audit log files. This information can be split into an array using => as the tokenizer. But don't expect that you can compare array elements throughout the whole audit logs by splitting into an array, for old records get removed from history when history became too long to append the newest record. This history information is meant to be interpreted by humans rather than be analyzed by programs. Signed-off-by: Tetsuo Handa <penguin-kernel(a)I-love.SAKURA.ne.jp&gt; --- fs/exec.c | 1 + include/linux/audit.h | 5 ++ include/linux/sched.h | 1 + include/uapi/linux/audit.h | 1 + init/init_task.c | 7 +++ kernel/audit.c | 1 + kernel/auditsc.c | 108 +++++++++++++++++++++++++++++++++++++ 7 files changed, 124 insertions(+)