Hello Burn,
On Tuesday, December 20, 2022 5:36:28 PM EST Burn Alting wrote:
I note that the unsolicited AUDIT_BPF audit event only provides a program
id and operation (load or unload). For example, type=BPF
msg=audit(21/12/22 09:03:35.765:439) : prog-id=75 op=LOAD or type=BPF
msg=audit(21/12/22 09:04:05.883:460) : prog-id=0 op=UNLOAD
I also note that the bpf auxillary structure (struct bpf_prog_aux) that
holds the program id value, also holds a name (struct bpf_prog_aux->name)
and uid (struct bpf_prog_aud->user_struct->uid). Perhaps adding these two
items to the AUDIT_BPF event would provide more security context for this
unsolicited event. Thoughts?
I agree that the resulting event leaves a lot to be desired. When the patch
was being merged, I think it was pointed out that all we have is a number.
The BPF folks seemed to insist that was all that was needed. They never
explained how to use that number for anything practical like knowing what was
loaded. If anything can be done to improve the situation, I'd like to
encourage a patch. Systemd triggers a bunch of these events. But what it's
doing is unknowable.
-Steve