On Thursday, February 11, 2021 11:29:34 AM EST Paul Moore wrote:
> > If I'm not mistaken, iptables emits a single audit log per table, ipset
> > doesn't support audit at all. So I wonder how much audit logging is
> > required at all (for certification or whatever reason). How much
> > granularity i
On Wednesday, October 21, 2020 12:39:26 PM EDT Richard Guy Briggs wrote:
> > I think I have a way to generate a signal to multiple targets in one
> > syscall... The added challenge is to also give those targets different
> > audit container identifiers.
>
> Here is an exmple I was able to generat
ot; name="boot_aggregate" res=0 errno=-12
>
> [8.085456] audit: type=1802 audit(1592005947.297:9): pid=1 uid=0
> auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0
> op=policy_update cause=completed comm="systemd" res=1 errno=0
>
On Tuesday, June 16, 2020 3:53:40 PM EDT Mimi Zohar wrote:
> On Tue, 2020-06-16 at 11:55 -0400, Steve Grubb wrote:
> > On Tuesday, June 16, 2020 11:43:31 AM EDT Lakshmi Ramasubramanian wrote:
> > > On 6/16/20 8:29 AM, Steve Grubb wrote:
> > > >>>>> The ide
On Tuesday, June 16, 2020 11:43:31 AM EDT Lakshmi Ramasubramanian wrote:
> On 6/16/20 8:29 AM, Steve Grubb wrote:
> >>>>> The idea is a good idea, but you're assuming that "result" is always
> >>>>> errno. That was probabl
4294967295 subj=system_u:system_r:init_t:s0
> > op=policy_update cause=completed comm="systemd" res=1 result=0
> >
> > Signed-off-by: Lakshmi Ramasubramanian
> > Suggested-by: Steve Grubb
> > ---
> >
> > security/integrity/integrity_audi
On Monday, June 15, 2020 6:58:13 PM EDT Paul Moore wrote:
> On Mon, Jun 15, 2020 at 6:23 PM Steve Grubb wrote:
> > On Friday, June 12, 2020 3:50:14 PM EDT Lakshmi Ramasubramanian wrote:
> > > On 6/12/20 12:25 PM, Mimi Zohar wrote:
> > > > The idea is a good idea, bu
On Friday, June 12, 2020 3:50:14 PM EDT Lakshmi Ramasubramanian wrote:
> On 6/12/20 12:25 PM, Mimi Zohar wrote:
> > The idea is a good idea, but you're assuming that "result" is always
> > errno. That was probably true originally, but isn't now. For
> > example, ima_appraise_measurement() calls x
On Tuesday, June 9, 2020 1:15:55 PM EDT Richard Guy Briggs wrote:
> On 2020-06-09 10:00, Lakshmi Ramasubramanian wrote:
> > On 6/9/20 9:43 AM, Steve Grubb wrote:
> > > > The number in parenthesis is the error code (such as ENOMEM, EINVAL,
> > > > etc.) IMA uses thi
Hello,
On Tuesday, June 9, 2020 11:58:02 AM EDT Lakshmi Ramasubramanian wrote:
> On 6/9/20 8:40 AM, Steve Grubb wrote:
> > On Monday, June 8, 2020 5:53:43 PM EDT Lakshmi Ramasubramanian wrote:
> >> The final log statement in process_buffer_measurement() for failure
> >
On Monday, June 8, 2020 5:53:43 PM EDT Lakshmi Ramasubramanian wrote:
> The final log statement in process_buffer_measurement() for failure
> condition is at debug level. This does not log the message unless
> the system log level is raised which would significantly increase
> the messages in the s
On Thursday, June 4, 2020 1:57:56 PM EDT Richard Guy Briggs wrote:
> > > diff --git a/kernel/auditsc.c b/kernel/auditsc.c
> > > index 468a23390457..3a9100e95fda 100644
> > > --- a/kernel/auditsc.c
> > > +++ b/kernel/auditsc.c
> > > @@ -75,6 +75,7 @@
> > > #include
> > > #include
> > > #include
>
On Thursday, June 4, 2020 9:20:49 AM EDT Richard Guy Briggs wrote:
> iptables, ip6tables, arptables and ebtables table registration,
> replacement and unregistration configuration events are logged for the
> native (legacy) iptables setsockopt api, but not for the
> nftables netlink api which is us
On Wednesday, May 20, 2020 2:40:45 PM EDT Paul Moore wrote:
> On Wed, May 20, 2020 at 12:55 PM Richard Guy Briggs wrote:
> > On 2020-05-20 12:51, Richard Guy Briggs wrote:
> > > Some table unregister actions seem to be initiated by the kernel to
> > > garbage collect unused tables that are not ini
On Wednesday, May 6, 2020 6:42:33 PM EDT Richard Guy Briggs wrote:
> > > > We can't be adding deleting fields based on how its triggered. If
> > > > they are unset, that is fine. The main issue is they have to behave
> > > > the same.
> > >
> > > I don't think the intent was to have fields swing i
On Wednesday, April 29, 2020 5:32:47 PM EDT Richard Guy Briggs wrote:
> On 2020-04-29 14:47, Steve Grubb wrote:
> > On Wednesday, April 29, 2020 10:31:46 AM EDT Richard Guy Briggs wrote:
> > > On 2020-04-28 18:25, Paul Moore wrote:
> > > > On Wed, Apr 22, 2020
On Wednesday, April 29, 2020 10:31:46 AM EDT Richard Guy Briggs wrote:
> On 2020-04-28 18:25, Paul Moore wrote:
> > On Wed, Apr 22, 2020 at 5:40 PM Richard Guy Briggs
wrote:
> > > Some table unregister actions seem to be initiated by the kernel to
> > > garbage collect unused tables that are not
On Friday, September 6, 2019 2:57:00 PM EDT Florian Weimer wrote:
> * Steve Grubb:
> > Now with LD_AUDIT
> > $ LD_AUDIT=/home/sgrubb/test/openflags/strip-flags.so.0 strace ./test
> > 2>&1 | grep passwd openat(3, "passwd", O_RDONLY) = 4
> >
>
On Friday, September 6, 2019 11:24:50 AM EDT Mickaël Salaün wrote:
> The goal of this patch series is to control script interpretation. A
> new O_MAYEXEC flag used by sys_open() is added to enable userspace
> script interpreter to delegate to the kernel (and thus the system
> security policy) the
On Tuesday, April 16, 2019 7:49:39 AM EDT Florian Weimer wrote:
> * Steve Grubb:
> > This flag that is being proposed means that you would have to patch all
> > interpreters to use it. If you are sure that upstreams will accept that,
> > why not just change the policy to i
Hello,
On Wednesday, December 12, 2018 9:43:06 AM EDT Jan Kara wrote:
> On Wed 12-12-18 09:17:08, Mickaël Salaün wrote:
> > When the O_MAYEXEC flag is passed, sys_open() may be subject to
> > additional restrictions depending on a security policy implemented by an
> > LSM through the inode_permiss
On Thursday, March 7, 2019 7:32:54 AM EST Ondrej Mosnacek wrote:
> Emit an audit record every time selected NTP parameters are modified
> from userspace (via adjtimex(2) or clock_adjtime(2)).
>
> Such events will now generate records of type AUDIT_TIME_ADJNTPVAL
> containing the following fields:
On Thursday, March 7, 2019 7:32:53 AM EST Ondrej Mosnacek wrote:
> Emit an audit record whenever the system clock is changed (i.e. shifted
> by a non-zero offset) by a syscall from userspace. The syscalls than can
> (at the time of writing) trigger such record are:
> - settimeofday(2), stime(2),
On Mon, 28 Jan 2019 15:08:56 -0500
Paul Moore wrote:
> On Mon, Jan 28, 2019 at 3:03 PM Steve Grubb wrote:
> > On Mon, 28 Jan 2019 11:26:51 -0500
> > Paul Moore wrote:
> >
> > > On Mon, Jan 28, 2019 at 10:38 AM Sverdlin, Alexander (Nokia -
> > &g
On Mon, 28 Jan 2019 11:26:51 -0500
Paul Moore wrote:
> On Mon, Jan 28, 2019 at 10:38 AM Sverdlin, Alexander (Nokia - DE/Ulm)
> wrote:
> > Hello Paul,
> >
> > On 28/01/2019 15:52, Paul Moore wrote:
> > > time also enables syscall auditing; this patch simplifies the
> > > Kconfig menus b
On Thu, 17 Jan 2019 08:21:40 -0500
Paul Moore wrote:
> On Thu, Jan 17, 2019 at 4:33 AM Steve Grubb wrote:
> > On Mon, 14 Jan 2019 17:58:58 -0500
> > Paul Moore wrote:
> >
> > > On Mon, Dec 10, 2018 at 5:18 PM Richard Guy Briggs
> > > wrote:
> &g
On Mon, 14 Jan 2019 17:58:58 -0500
Paul Moore wrote:
> On Mon, Dec 10, 2018 at 5:18 PM Richard Guy Briggs
> wrote:
> >
> > Tie syscall information to all CONFIG_CHANGE calls since they are
> > all a result of user actions.
Please don't tie syscall information to this. The syscall will be
sendto
On Tuesday, May 22, 2018 9:43:46 AM EDT Richard Guy Briggs wrote:
> On 2018-05-21 17:57, Stefan Berger wrote:
> > On 05/21/2018 02:30 PM, Steve Grubb wrote:
> > > Hello Stefan,
> > >
> > > On Monday, May 21, 2018 1:53:04 PM EDT Stefan Berger wrote:
> &g
On Monday, May 21, 2018 5:57:29 PM EDT Stefan Berger wrote:
> Should some of the fields from INTEGRITY_PCR also appear in
> INTEGRITY_RULE? If so, which ones?
> >>>
> >>> pid, uid, auid, tty, session, subj, comm, exe, res. <- these are
> >>> required to be searchable
> >>>
> We co
On Thursday, May 17, 2018 5:41:02 PM EDT Richard Guy Briggs wrote:
> On 2018-05-17 17:09, Steve Grubb wrote:
> > On Fri, 16 Mar 2018 05:00:30 -0400
> >
> > Richard Guy Briggs wrote:
> > > Create a new audit record AUDIT_CONTAINER_INFO to document the
> >
On Friday, March 16, 2018 5:00:40 AM EDT Richard Guy Briggs wrote:
> Add support for reading the container ID from the proc filesystem.
I think this could be useful in general. Please consider this to be part of
the full patch set and not something merely used to debug the patches.
-Steve
> Thi
Hello Stefan,
On Monday, May 21, 2018 2:04:08 PM EDT Stefan Berger wrote:
> On 05/21/2018 01:21 PM, Steve Grubb wrote:
> > On Friday, May 18, 2018 12:34:24 PM EDT Mimi Zohar wrote:
> >> On Fri, 2018-05-18 at 11:56 -0400, Richard Guy Briggs wrote:
> >>> On 2018
Hello Stefan,
On Monday, May 21, 2018 1:53:04 PM EDT Stefan Berger wrote:
> On 05/21/2018 12:58 PM, Steve Grubb wrote:
> > On Thursday, May 17, 2018 10:18:13 AM EDT Stefan Berger wrote:
> >>> audit_log_container_info() then releasing the local context. This
> >&
On Friday, May 18, 2018 12:34:24 PM EDT Mimi Zohar wrote:
> On Fri, 2018-05-18 at 11:56 -0400, Richard Guy Briggs wrote:
> > On 2018-05-18 10:39, Mimi Zohar wrote:
> > > On Fri, 2018-05-18 at 09:54 -0400, Stefan Berger wrote:
> > > > On 05/18/2018 08:53 AM, Mimi Zohar wrote:
> > > [..]
> > >
> > >
On Thursday, May 17, 2018 10:18:13 AM EDT Stefan Berger wrote:
> > audit_log_container_info() then releasing the local context. This
> > version of the record has additional concerns covered here:
> > https://github.com/linux-audit/audit-kernel/issues/52
>
> Following the discussion there and the
On Fri, 18 May 2018 11:21:06 -0400
Richard Guy Briggs wrote:
> On 2018-05-18 09:56, Steve Grubb wrote:
> > On Thu, 17 May 2018 17:56:00 -0400
> > Richard Guy Briggs wrote:
> >
> > > > During syscall events, the path info is returned in a a record
> > &g
On Thu, 17 May 2018 17:56:00 -0400
Richard Guy Briggs wrote:
> > During syscall events, the path info is returned in a a record
> > simply called AUDIT_PATH, cwd info is returned in AUDIT_CWD. So,
> > rather than calling the record that gets attached to everything
> > AUDIT_CONTAINER_INFO, how ab
On Fri, 16 Mar 2018 05:00:30 -0400
Richard Guy Briggs wrote:
> Create a new audit record AUDIT_CONTAINER_INFO to document the
> container ID of a process if it is present.
As mentioned in a previous email, I think AUDIT_CONTAINER is more
suitable for the container record. One more comment below.
On Fri, 16 Mar 2018 05:00:28 -0400
Richard Guy Briggs wrote:
> Implement the proc fs write to set the audit container ID of a
> process, emitting an AUDIT_CONTAINER record to document the event.
>
> This is a write from the container orchestrator task to a proc entry
> of the form /proc/PID/cont
thread,errno,trace,log res=1
>
> If you then write an empty string to the sysctl, this audit record is
> emitted:
>
> type=CONFIG_CHANGE msg=audit(1525392494.413:138): op=seccomp-logging
> actions=(none) old-actions=kill_process,kill_thread,errno,trace,log
> res=1
>
&g
On Thursday, May 3, 2018 6:36:18 PM EDT Tyler Hicks wrote:
> On 05/03/2018 04:12 PM, Steve Grubb wrote:
> > On Thursday, May 3, 2018 4:51:36 PM EDT Tyler Hicks wrote:
> >> On 05/03/2018 03:48 PM, Paul Moore wrote:
> >>> On Thu, May 3, 2018 at 4:42 PM, Steve Grubb wr
On Thursday, May 3, 2018 4:51:36 PM EDT Tyler Hicks wrote:
> On 05/03/2018 03:48 PM, Paul Moore wrote:
> > On Thu, May 3, 2018 at 4:42 PM, Steve Grubb wrote:
> >> On Thursday, May 3, 2018 4:18:26 PM EDT Paul Moore wrote:
> >>> On Wed, May 2, 2018 at 2:18 PM,
On Thursday, May 3, 2018 4:18:26 PM EDT Paul Moore wrote:
> On Wed, May 2, 2018 at 2:18 PM, Steve Grubb wrote:
> > On Wednesday, May 2, 2018 11:53:19 AM EDT Tyler Hicks wrote:
> >> The decision to log a seccomp action will always be subject to the
> >> value of the ke
hich is unordered and contains the log action twice,
> it results in the same actions value as the previous record:
>
> type=CONFIG_CHANGE msg=audit(1525275325.613:142): op=seccomp-logging
> actions=kill_process,kill_thread,errno,trace,log
> old-actions=kill_process,kill_thread,er
t; > Writing the string "log log errno trace kill_process kill_thread", which
> > is unordered and contains the log action twice, results in the same
> >
> > value as the previous example for the actions field:
> > type=CONFIG_CHANGE msg=audit(
On Tuesday, April 17, 2018 6:06:24 PM EDT Paul Moore wrote:
> On Wed, Apr 11, 2018 at 8:46 AM, Richard Guy Briggs wrote:
> > Tie syscall information to FEATURE_CHANGE calls since it is a result of
> > user action.
> >
> > See: https://github.com/linux-audit/audit-kernel/issues/80
> >
> > Signed-
On Monday, April 16, 2018 10:11:01 AM EDT Richard Guy Briggs wrote:
> On 2018-04-16 09:26, Ondrej Mosnacek wrote:
> > 2018-04-10 1:34 GMT+02:00 Richard Guy Briggs :
> > > There were two formats of the audit MAC_STATUS record, one of which was
> > > more standard than the other. One listed enforcin
On Tuesday, March 13, 2018 8:35:44 PM EDT Andy Lutomirski wrote:
> On Wed, Mar 14, 2018 at 12:28 AM, Jiri Kosina wrote:
> > On Wed, 14 Mar 2018, Andy Lutomirski wrote:
> >> > Yes...I wished I was in on the beginning of this discussion. Here's
> >> > the
> >> > problem. We need all tasks auditable
On Tuesday, March 13, 2018 8:28:57 PM EDT Jiri Kosina wrote:
> On Wed, 14 Mar 2018, Andy Lutomirski wrote:
> > > Yes...I wished I was in on the beginning of this discussion. Here's the
> > > problem. We need all tasks auditable unless specifically dismissed as
> > > uninteresting. This would be a t
On Tue, 13 Mar 2018 06:52:51 -0400
Richard Guy Briggs wrote:
> On 2018-03-13 11:38, Steve Grubb wrote:
> > On Tue, 13 Mar 2018 06:11:08 -0400
> > Richard Guy Briggs wrote:
> >
> > > On 2018-03-13 09:35, Steve Grubb wrote:
> > > > On Mon, 12 M
On Tue, 13 Mar 2018 06:11:08 -0400
Richard Guy Briggs wrote:
> On 2018-03-13 09:35, Steve Grubb wrote:
> > On Mon, 12 Mar 2018 11:52:56 -0400
> > Richard Guy Briggs wrote:
> >
> > > On 2018-03-12 11:53, Paul Moore wrote:
> > > > On Mon, Ma
On Mon, 12 Mar 2018 11:52:56 -0400
Richard Guy Briggs wrote:
> On 2018-03-12 11:53, Paul Moore wrote:
> > On Mon, Mar 12, 2018 at 11:26 AM, Richard Guy Briggs
> > wrote:
> > > On 2018-03-12 11:12, Paul Moore wrote:
> > >> On Mon, Mar 12, 2018 at 2:31 AM, Richard Guy Briggs
> > >> wrote:
>
On Mon, 12 Mar 2018 02:31:16 -0400
Richard Guy Briggs wrote:
> Audit link denied events were being unexpectedly produced in a
> disjoint way when audit was disabled, and when they were expected,
> there were duplicate PATH records. This patchset addresses both
> issues for symlinks and hardlinks
On Wed, 7 Mar 2018 18:43:42 -0500
Paul Moore wrote:
> ... and I just realized that linux-audit isn't on the To/CC line,
> adding them now.
>
> Link to the patch is below.
>
> * https://marc.info/?t=15204188763&r=1&w=2
Yes...I wished I was in on the beginning of this discussion. Here's the
p
On Monday, February 12, 2018 12:02:21 AM EST Richard Guy Briggs wrote:
> Tracefs or debugfs were causing hundreds to thousands of null PATH
> records to be associated with the init_module and finit_module SYSCALL
> records on a few modules when the following rule was in place for
> startup:
>
On Wednesday, February 14, 2018 11:18:20 AM EST Richard Guy Briggs wrote:
> Audit link denied events were being unexpectedly produced in a disjoint
> way when audit was disabled, and when they were expected, there were
> duplicate PATH records. This patchset addresses both issues for
> symlinks an
On Monday, December 11, 2017 11:30:57 AM EST Eric Paris wrote:
> > Because a container doesn't have to use namespaces to be a container
> > you still need a mechanism for a process to declare that it is in
> > fact
> > in a container, and to identify the container.
>
> I like the idea but I'm stil
On Thursday, November 9, 2017 3:52:46 PM EST Richard Guy Briggs wrote:
> > >> > It might be simplest to just apply a corrective patch over top of
> > >> > this one so that you don't have to muck about with git branches and
> > >> > commit messages.
> > >>
> > >> A quick note on the "corrective pat
On Thursday, November 9, 2017 10:18:10 AM EST Paul Moore wrote:
> On Wed, Nov 8, 2017 at 6:29 PM, Steve Grubb wrote:
> > On Wednesday, September 20, 2017 12:52:32 PM EST Paul Moore wrote:
> >> On Wed, Aug 23, 2017 at 7:03 AM, Richard Guy Briggs
wrote:
> >> > T
On Wednesday, September 20, 2017 12:52:32 PM EST Paul Moore wrote:
> On Wed, Aug 23, 2017 at 7:03 AM, Richard Guy Briggs wrote:
> > Tracefs or debugfs were causing hundreds to thousands of null PATH
> > records to be associated with the init_module and finit_module SYSCALL
> > records on a few mod
On Thursday, October 19, 2017 7:11:33 PM EDT Aleksa Sarai wrote:
> >>> The registration is a pseudo filesystem (proc, since PID tree already
> >>> exists) write of a u8[16] UUID representing the container ID to a file
> >>> representing a process that will become the first process in a new
> >>> co
On Tuesday, October 17, 2017 1:57:43 PM EDT James Bottomley wrote:
> > > > The idea is that processes spawned into a container would be
> > > > labelled by the container orchestration system. It's unclear
> > > > what should happen to processes using nsenter after the fact, but
> > > > policy for
On Tuesday, October 17, 2017 12:43:18 PM EDT Casey Schaufler wrote:
> > The idea is that processes spawned into a container would be labelled
> > by the container orchestration system. It's unclear what should happen
> > to processes using nsenter after the fact, but policy for that should
> > be
On Monday, October 16, 2017 8:33:40 PM EDT Richard Guy Briggs wrote:
> On 2017-10-12 16:33, Casey Schaufler wrote:
> > On 10/12/2017 7:14 AM, Richard Guy Briggs wrote:
> > > Containers are a userspace concept. The kernel knows nothing of them.
> > >
> > > The Linux audit system needs a way to be
On Thursday, October 12, 2017 10:14:00 AM EDT Richard Guy Briggs wrote:
> Containers are a userspace concept. The kernel knows nothing of them.
>
> The Linux audit system needs a way to be able to track the container
> provenance of events and actions. Audit needs the kernel's help to do
> this.
On Thursday, September 7, 2017 6:36:32 PM EDT Paul Moore wrote:
> On Wed, Aug 23, 2017 at 7:03 AM, Richard Guy Briggs wrote:
> > Tracefs or debugfs were causing hundreds to thousands of PATH records to
> > be associated with the init_module and finit_module SYSCALL records on a
> >
> > few module
On Friday, April 7, 2017 6:16:08 PM EDT Tyler Hicks wrote:
> On 02/22/2017 12:46 PM, Kees Cook wrote:
> > On Thu, Feb 16, 2017 at 3:29 PM, Kees Cook wrote:
> >> On Wed, Feb 15, 2017 at 7:24 PM, Andy Lutomirski
wrote:
> >>> On Mon, Feb 13, 2017 at 7:45 PM, Tyler Hicks
wrote:
> This patch s
On Tuesday, March 7, 2017 11:00:27 AM EST Richard Guy Briggs wrote:
> On 2017-03-07 10:41, Steven Rostedt wrote:
> > On Mon, 6 Mar 2017 22:39:54 -0500
> >
> > Richard Guy Briggs wrote:
> > > >From the output I've seen, it doesn't look particularly useful, but it
> > >
> > > was useful to finally
On Monday, March 6, 2017 4:49:21 PM EST Richard Guy Briggs wrote:
> > Blocking PATH record on creation based on syscall *really* seems like
> > a bad/dangerous idea. If we want to block all these tracefs/debugfs
> > records, let's just block the fs. Although as of right now I'm not a
> > fan of b
On Friday, March 3, 2017 4:14:54 PM EST Richard Guy Briggs wrote:
> > > > 1 - In __audit_inode_child, return immedialy upon detecting TRACEFS
> > > > and
> > > >
> > > > DEBUGFS (and potentially other filesystems identified, via s_magic).
> >
> > XFS creates them too. Who knows what else.
>
> Wh
On Tuesday, February 28, 2017 10:37:04 PM EST Richard Guy Briggs wrote:
> Sorry, I forgot to include Cc: in this cover letter for context to the 4
> alt patches.
>
> On 2017-02-28 22:15, Richard Guy Briggs wrote:
> > The background to this is:
> > https://github.com/linux-audit/audit-kernel/is
On Tuesday, February 14, 2017 1:38:36 PM EST Paul Moore wrote:
> On Tue, Feb 14, 2017 at 1:11 PM, Richard Guy Briggs wrote:
> > On 2017-02-14 13:02, Steve Grubb wrote:
> >> On Monday, February 13, 2017 4:20:55 PM EST Paul Moore wrote:
> >> > On Sat, Feb 4, 2017
On Monday, February 13, 2017 4:20:55 PM EST Paul Moore wrote:
> On Sat, Feb 4, 2017 at 1:10 PM, Richard Guy Briggs wrote:
> > This adds a new auxiliary record MODULE_INIT to the SYSCALL event.
> >
> > We get finit_module for free since it made most sense to hook this in to
> > load_module().
> >
On Friday, February 3, 2017 7:18:58 PM EST Paul Moore wrote:
> On Tue, Jan 31, 2017 at 3:02 PM, Richard Guy Briggs wrote:
> > On 2017-01-31 11:07, Paul Moore wrote:
> >> On Tue, Jan 31, 2017 at 7:36 AM, Richard Guy Briggs
wrote:
> >> > On 2017-01-31 06:59, Paul Moore wrote:
> >> >> On Thu, Jan 2
On Tue, 31 Jan 2017 11:07:24 -0500
Paul Moore wrote:
> On Tue, Jan 31, 2017 at 7:36 AM, Richard Guy Briggs
> wrote:
> > On 2017-01-31 06:59, Paul Moore wrote:
> >> On Thu, Jan 26, 2017 at 4:21 PM, Richard Guy Briggs
> >> wrote:
> >> > This adds a new auxiliary record MODULE_INIT to the SYSC
On Thu, 26 Jan 2017 14:50:07 -0500
Richard Guy Briggs wrote:
> This adds a new auxiliary record MODULE_INIT to the SYSCALL event.
Thanks, this is definitely needed. Can you provide an example event
generated by this?
-Steve
> We get finit_module for free since it made most sense to hook this i
On Tuesday, January 3, 2017 12:44:41 PM EST Kees Cook wrote:
> >> That doesn't fully solve #3 for me. In Ubuntu (and I think Debian), we
> >> build with CONFIG_AUDIT enabled but don't ship auditd by default so
> >> audit_enabled is false. In that default configuration, we still want
> >> seccomp au
On Monday, January 2, 2017 5:42:47 PM EST Tyler Hicks wrote:
> On 2017-01-02 12:20:53, Steve Grubb wrote:
> > On Monday, January 2, 2017 4:53:10 PM EST Tyler Hicks wrote:
> > > Generate audit records for SECCOMP_RET_ERRNO actions, which were
> > > previously not audited
On Monday, January 2, 2017 4:53:10 PM EST Tyler Hicks wrote:
> Generate audit records for SECCOMP_RET_ERRNO actions, which were
> previously not audited.
>
> Additionally, include the errno value that will be set in the audit
> message.
>
> Signed-off-by: Tyler Hicks
> ---
> include/linux/audit
On Thursday, June 09, 2016 07:59:43 PM Richard Guy Briggs wrote:
> On 16/06/09, Steve Grubb wrote:
> > On Wednesday, June 08, 2016 10:05:01 PM Deepa Dinamani wrote:
> > > struct timespec is not y2038 safe.
> > > Audit timestamps are recorded in string format into
> &
On Wednesday, June 08, 2016 10:05:01 PM Deepa Dinamani wrote:
> struct timespec is not y2038 safe.
> Audit timestamps are recorded in string format into
> an audit buffer for a given context.
> These mark the entry timestamps for the syscalls.
> Use y2038 safe struct timespec64 to represent the tim
On Thursday, April 21, 2016 09:29:57 PM Paul Moore wrote:
> On Thu, Apr 21, 2016 at 2:14 PM, Richard Guy Briggs wrote:
> > The tty field was missing from AUDIT_LOGIN events.
> >
> > Refactor code to create a new function audit_get_tty(), using it to
> > replace the call in audit_log_task_info() a
On Tuesday, April 05, 2016 07:02:48 PM Oliver Neukum wrote:
> On Tue, 2016-04-05 at 18:40 +1000, Wade Mealing wrote:
> > Consider the following scenario. Currently we have device drivers
> > that emit text via a printk request which is eventually picked up by
> > syslog like implementation (not th
On Monday, April 04, 2016 12:02:42 AM wmealing wrote:
> I'm looking to create an audit trail for when devices are added or removed
> from the system.
>
> The audit subsystem is a logging subsystem in kernel space that can be
> used to create advanced filters on generated events. It has partnered
On Monday, April 04, 2016 05:56:26 AM Greg KH wrote:
> On Mon, Apr 04, 2016 at 12:02:42AM -0400, wmealing wrote:
> > From: Wade Mealing
> >
> > Gday,
> >
> > I'm looking to create an audit trail for when devices are added or removed
> > from the system.
>
> Then please do it in userspace, as I
On Tuesday, December 22, 2015 09:24:56 AM Paul Moore wrote:
> On Tuesday, December 22, 2015 04:03:06 AM Richard Guy Briggs wrote:
> > Nothing prevents a new auditd starting up and replacing a valid
> > audit_pid when an old auditd is still running, effectively starving out
> > the old auditd since
On Monday, December 21, 2015 04:48:00 PM Paul Moore wrote:
> On Wednesday, December 16, 2015 11:23:19 AM Steve Grubb wrote:
> > On Wednesday, December 16, 2015 10:42:32 AM Richard Guy Briggs wrote:
> > > Nothing prevents a new auditd starting up and replacing a valid
> >
Hello Richard,
Public reply this time. :-)
On Wednesday, December 16, 2015 10:42:32 AM Richard Guy Briggs wrote:
> Nothing prevents a new auditd starting up and replacing a valid
> audit_pid when an old auditd is still running, effectively starving out
> the old auditd since audit_pid no longer
te and people really don't want to see anything in their
> logs, I suppose we could always add a sysctl knob to turn off the
> message completely (we would still need to do whatever audit records
> are required, see below).
>
> Wearing my audit hat, I want to make sure we tick off
Hello,
If a daemon using FANOTIFY needs to open a file on a watched filesystem and
its wanting OPEN_PERM events, we get deadlock. (This could happen because
of a library the daemon is using suddenly decides it needs to look in a new
file.) Even though the man page says that the daemon should appro
On Fri, 18 Sep 2015 03:52:43 -0400
Richard Guy Briggs wrote:
> A bug was introduced by "audit: try harder to send to auditd upon
> netlink failure", caused by incomplete code and a function that
> expects a string and does not accept a format plus arguments. Create
> a temporary string variable
On Thursday, August 06, 2015 04:24:58 PM Paul Moore wrote:
> On Wednesday, August 05, 2015 04:29:38 PM Richard Guy Briggs wrote:
> > This adds the ability to audit the actions of children of a
> > not-yet-running
> > process.
> >
> >
> >
> > This is a split-out of a heavily modified version of a p
On Wednesday, August 05, 2015 03:16:58 PM Paul Moore wrote:
> On Wednesday, August 05, 2015 02:30:14 AM Richard Guy Briggs wrote:
> > On 15/08/04, Paul Moore wrote:
> > > On Saturday, August 01, 2015 03:42:23 PM Richard Guy Briggs wrote:
> > > > Signed-off-by: Richard Guy Briggs
> > > > ---
> > >
On Tuesday, July 14, 2015 11:50:22 AM Richard Guy Briggs wrote:
> Please see the accompanying userspace patchset:
> https://www.redhat.com/archives/linux-audit/2015-July/thread.html
> [[PATCH V2] 0/2] Log on the future execution of a path
> The userspace interface is not expected to cha
On Thursday, May 14, 2015 08:31:45 PM Eric W. Biederman wrote:
> Paul Moore writes:
> > As Eric, and others, have stated, the container concept is a userspace
> > idea, not a kernel idea; the kernel only knows, and cares about,
> > namespaces. This is unlikely to change.
> >
> > However, as Stev
On Thursday, May 14, 2015 11:23:09 PM Andy Lutomirski wrote:
> On Thu, May 14, 2015 at 7:32 PM, Richard Guy Briggs wrote:
> > On 15/05/14, Paul Moore wrote:
> >> * Look at our existing audit records to determine which records should
> >> have
> >> namespace and container ID tokens added. We may o
On Thursday, May 14, 2015 10:42:38 AM Eric W. Biederman wrote:
> Steve Grubb writes:
> > On Tuesday, May 12, 2015 03:57:59 PM Richard Guy Briggs wrote:
> >> On 15/05/05, Steve Grubb wrote:
> >> > I think there needs to be some more discussion around this. It seems
On Tuesday, May 12, 2015 03:57:59 PM Richard Guy Briggs wrote:
> On 15/05/05, Steve Grubb wrote:
> > I think there needs to be some more discussion around this. It seems like
> > this is not exactly recording things that are useful for audit.
>
> It seems to me that either
Hello,
I think there needs to be some more discussion around this. It seems like this
is not exactly recording things that are useful for audit.
On Friday, April 17, 2015 03:35:52 AM Richard Guy Briggs wrote:
> Log the creation and deletion of namespace instances in all 6 types of
> namespaces.
On Tuesday, May 05, 2015 10:31:20 AM Aristeu Rozanski wrote:
> Hi Steve,
>
> On Tue, May 05, 2015 at 10:22:32AM -0400, Steve Grubb wrote:
> > The requirements for auditing of containers should be derived from VPP. In
> > it, it asks for selectable auditing, selective audit
1 - 100 of 156 matches
Mail list logo
