Re: RFC(V3): Audit Kernel Container IDs
On 2018-01-09 19:05, Eric W. Biederman wrote:
Please let's have a description of the problem you are trying to
solve.
I thought the first sentence of the second paragraph summed it up rather
well.
Here are the elaborated motivations:
- Filter unwanted, irrelevant or unimportant messages before they fill
queue so important messages don't get lost. This is a certification
requirement.
- Make security claims about containers, require tracking of actions
within those containers to ensure compliance with established security
policies.
- Route messages from events to local audit daemon instance or host
audit daemon instance
- Tried nsIDs, but insufficient for efficient filtering, routing,
tracking
A proposed solution without talking about the problem space is
useless.
Any proposed solution could potentially work.
I know to these exist. There is motivation for your work.
What is the motivation?
What problem are you trying to solve?
In particular what information are you trying to get into logs that you
can not get into the logs today?
I am going to try to give this the attention it deserves but right now I
am having to deal with half thought out patches for information leaks
from speculative code paths, so I won't be able to give this much
attention for a little bit.
Eric
- RGB
--
Richard Guy Briggs <rgb(a)redhat.com>
Sr. S/W Engineer, Kernel Security, Base Operating Systems
Remote, Ottawa, Red Hat Canada
IRC: rgb, SunRaycer
Voice: +1.647.777.2635, Internal: (81) 32635