Re: [PATCH] audit: add task history record

On 2023/08/24 23:26, Paul Moore wrote: > On Thu, Aug 24, 2023 at 9:47 AM Tetsuo Handa > <penguin-kernel(a)i-love.sakura.ne.jp&gt; wrote: >> On 2023/08/24 22:39, Tetsuo Handa wrote: >>>>> (1) Catch _all_ process creations (both via fork()/clone() system calls and >>>>> kthread_create() from the kernel), and duplicate the history upon process >>>>> creation. >>>> >>>> Create an audit filter rule to record the syscalls you are interested >>>> in logging. >>> >>> I can't interpret what you are talking about. Please show me using command >>> line. >> >> I'm not interested in logging the syscalls just for maintaining process history >> information. > > That's unfortunate because I'm not interested in merging your patch > when we already have an audit log which can be used to trace process > history information. It is unfortunate that you continue ignoring the How can auditd generate logs that are not triggered via syscalls? line. I know how to configure syscall rules using "-S" option. But I do not know how to configure non syscall rules (such as process creation via kthread_create(), process termination due to tty hangup or OOM killer).

I repeat: The auditd is not capable of generating _all_ records needed for maintaining this information. The logs generated via system call auditing is just an example user of this information.