Re: [PATCH] audit: add task history record
On Thu, Aug 24, 2023 at 9:21 AM Tetsuo Handa
<penguin-kernel(a)i-love.sakura.ne.jp> wrote:
On 2023/08/23 23:48, Paul Moore wrote:
> We've already discussed this both from a kernel load perspective (it
> should be able to handle the load, if not that is a separate problem
> to address) as well as the human perspective (if you want auditing,
> you need to be able to handle auditing).
No. You haven't shown us audit rules that can satisfy requirements shown below.
(1) Catch _all_ process creations (both via fork()/clone() system calls and
kthread_create() from the kernel), and duplicate the history upon process
creation.
Create an audit filter rule to record the syscalls you are interested
in logging.
(2) Catch _all_ execve(), and update the history upon successful
execve().
Create an audit filter rule to record the syscalls you are interested
in logging.
(3) Catch _all_ process terminations (both
exit()/exit_group()/kill() system
calls and internal reasons such as OOM killer), and erase the history upon
process termination.
Create an audit filter rule to record the events you are interested in
logging, if there is an event which isn't being recorded feel free to
submit a patch to generate an audit record.
--
paul-moore.com