Re: [PATCH] audit: add task history record

On Wednesday, August 16, 2023 9:53:58 AM EDT Paul Moore wrote: > On Wed, Aug 16, 2023 at 6:10 AM Tetsuo Handa > <penguin-kernel(a)i-love.sakura.ne.jp&gt; wrote: > > On 2023/08/16 3:44, Paul Moore wrote: > > > On Fri, Aug 11, 2023 at 6:58 AM Tetsuo Handa > > > <penguin-kernel(a)i-love.sakura.ne.jp&gt; wrote: > > >> When an unexpected system event occurs, the administrator may want to > > >> identify which application triggered the event. For example, > > >> unexpected process termination is still a real concern enough to write > > >> articles like https://access.redhat.com/solutions/165993 . > > >> > > >> This patch adds a record which emits TOMOYO-like task history > > >> information into the audit logs for better understanding of unexpected > > >> system events. > > >> > > >> type=UNKNOWN[1340] msg=audit(1691750738.271:108): > > >> history="name=swapper/0;pid=1;start=20230811194329=>name=init;pid=1;s > > >> tart=20230811194343=>name=systemd;pid=1;start=20230811194439=>name=ssh > > >> d;pid=3660;start=20230811104504=>name=sshd;pid=3767;start=202308111045 > > >> 35" > > > > > > While I respect your persistence, we've talked about this quite a bit > > > already in other threads. What you are trying to do is already > > > possible with audit > > > > How? > > If you configure audit to record exec() and friends you should have a > proper history of the processes started on the system. This is not a practical solution. Yes, technically this could be done. But it would be a huge burden on the system to keep up with this. And it would bury events you truly wanted to see effectively DoS'ing the audit system.