Re: [PATCH ghak90 V9 05/13] audit: log container info of syscalls

On Wednesday, October 21, 2020 12:39:26 PM EDT Richard Guy Briggs wrote: > > I think I have a way to generate a signal to multiple targets in one > > syscall... The added challenge is to also give those targets different > > audit container identifiers. > > Here is an exmple I was able to generat

Re: [RFC PATCH ghak90 (was ghak32) V3 02/10] audit: log container info of syscalls

On Sunday, July 22, 2018 4:55:10 PM EDT Richard Guy Briggs wrote: > On 2018-07-22 09:32, Steve Grubb wrote: > > On Saturday, July 21, 2018 4:29:30 PM EDT Richard Guy Briggs wrote: > > > > > + * audit_log_contid - report container info > > > > > + * @tsk: tas

Re: [RFC PATCH ghak90 (was ghak32) V3 02/10] audit: log container info of syscalls

On Wednesday, June 6, 2018 12:58:29 PM EDT Richard Guy Briggs wrote: > Create a new audit record AUDIT_CONTAINER to document the audit > container identifier of a process if it is present. > > Called from audit_log_exit(), syscalls are covered. > > A sample raw event: > type=SYSCALL msg=audit(151

Re: [RFC PATCH ghak32 V2 03/13] audit: log container info of syscalls

On Thursday, May 17, 2018 5:41:02 PM EDT Richard Guy Briggs wrote: > On 2018-05-17 17:09, Steve Grubb wrote: > > On Fri, 16 Mar 2018 05:00:30 -0400 > > > > Richard Guy Briggs wrote: > > > Create a new audit record AUDIT_CONTAINER_INFO to document the > >

Re: [RFC PATCH ghak32 V2 13/13] debug audit: read container ID of a process

On Friday, March 16, 2018 5:00:40 AM EDT Richard Guy Briggs wrote: > Add support for reading the container ID from the proc filesystem. I think this could be useful in general. Please consider this to be part of the full patch set and not something merely used to debug the patches. -Steve > Thi

Re: [RFC PATCH ghak32 V2 01/13] audit: add container id

On Fri, 18 May 2018 11:21:06 -0400 Richard Guy Briggs wrote: > On 2018-05-18 09:56, Steve Grubb wrote: > > On Thu, 17 May 2018 17:56:00 -0400 > > Richard Guy Briggs wrote: > > > > > > During syscall events, the path info is returned in a a record > > &g

Re: [RFC PATCH ghak32 V2 01/13] audit: add container id

On Thu, 17 May 2018 17:56:00 -0400 Richard Guy Briggs wrote: > > During syscall events, the path info is returned in a a record > > simply called AUDIT_PATH, cwd info is returned in AUDIT_CWD. So, > > rather than calling the record that gets attached to everything > > AUDIT_CONTAINER_INFO, how ab

Re: [RFC PATCH ghak32 V2 03/13] audit: log container info of syscalls

On Fri, 16 Mar 2018 05:00:30 -0400 Richard Guy Briggs wrote: > Create a new audit record AUDIT_CONTAINER_INFO to document the > container ID of a process if it is present. As mentioned in a previous email, I think AUDIT_CONTAINER is more suitable for the container record. One more comment below.

Re: [RFC PATCH ghak32 V2 01/13] audit: add container id

On Fri, 16 Mar 2018 05:00:28 -0400 Richard Guy Briggs wrote: > Implement the proc fs write to set the audit container ID of a > process, emitting an AUDIT_CONTAINER record to document the event. > > This is a write from the container orchestrator task to a proc entry > of the form /proc/PID/cont

Re: RFC(v2): Audit Kernel Container IDs

On Monday, December 11, 2017 11:30:57 AM EST Eric Paris wrote: > > Because a container doesn't have to use namespaces to be a container > > you still need a mechanism for a process to declare that it is in > > fact > > in a container, and to identify the container. > > I like the idea but I'm stil

Re: RFC(v2): Audit Kernel Container IDs

On Thursday, October 19, 2017 7:11:33 PM EDT Aleksa Sarai wrote: > >>> The registration is a pseudo filesystem (proc, since PID tree already > >>> exists) write of a u8[16] UUID representing the container ID to a file > >>> representing a process that will become the first process in a new > >>> co

Re: RFC(v2): Audit Kernel Container IDs

On Tuesday, October 17, 2017 1:57:43 PM EDT James Bottomley wrote: > > > > The idea is that processes spawned into a container would be > > > > labelled by the container orchestration system. It's unclear > > > > what should happen to processes using nsenter after the fact, but > > > > policy for

Re: RFC(v2): Audit Kernel Container IDs

On Tuesday, October 17, 2017 12:43:18 PM EDT Casey Schaufler wrote: > > The idea is that processes spawned into a container would be labelled > > by the container orchestration system. It's unclear what should happen > > to processes using nsenter after the fact, but policy for that should > > be

Re: RFC(v2): Audit Kernel Container IDs

On Monday, October 16, 2017 8:33:40 PM EDT Richard Guy Briggs wrote: > On 2017-10-12 16:33, Casey Schaufler wrote: > > On 10/12/2017 7:14 AM, Richard Guy Briggs wrote: > > > Containers are a userspace concept. The kernel knows nothing of them. > > > > > > The Linux audit system needs a way to be

Re: RFC(v2): Audit Kernel Container IDs

On Thursday, October 12, 2017 10:14:00 AM EDT Richard Guy Briggs wrote: > Containers are a userspace concept. The kernel knows nothing of them. > > The Linux audit system needs a way to be able to track the container > provenance of events and actions. Audit needs the kernel's help to do > this.

Re: [PATCH] XFRM: Display the audited SPI value in host byte order

On Wednesday 12 December 2007 14:05:42 Paul Moore wrote: > This patch corrects this inconsistency by writing the SPI values to the > audit record in host byte order. Looks OK, to me, too. -Steve -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to [EMA

Re: [PATCH]: revised make xfrm_audit_log more generic patch

On Tuesday 24 July 2007 12:33:26 pm Joy Latten wrote: > > It also wouldn't hurt to change the text being sent to this function to > > have a hyphen instead of a space, so "SPD delete" becomes "SPD-delete". > > This keeps the parser happy. > > Steve, more for my education, should all entries have th

Re: [PATCH] make xfrm_audit_log more generic

On Monday 23 July 2007 13:49:17 Joy Latten wrote: > > Will this cause existing applications to break? > > Perhaps someone in audit list could help answer this. Probably. Its better to take a new number and let the old ones sit idle. -Steve - To unsubscribe from this list: send the line "unsubscri

Re: [PATCH 1/1] add auditing to ipsec

On Monday 27 November 2006 14:11, Joy Latten wrote: > Please let me know if this is acceptable. >From an audit perspective, it looks good. -Steve - To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.

Re: [PATCH 1/1] add auditing to ipsec

On Monday 27 November 2006 17:26, Joy Latten wrote: > This patch adds auditing to ipsec in > support of labeled ipsec. The audit changes in this patch look good to me. -Steve Grubb - To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to

Re: [PATCH 1/1] NetLabel: audit fixups due to delayed feedback

On Friday 29 September 2006 18:39, [EMAIL PROTECTED] wrote: > This should make NetLabel more consistent with other kernel > generated audit messages specifying configuration changes. OK, this looks better. We may fine tune the messages later after we try it out, but all the issues I saw are fixed

Re: [PATCH 1/1] NetLabel: add audit support for configuration changes

On Thursday 28 September 2006 14:03, [EMAIL PROTECTED] wrote: > This patch adds audit support to NetLabel, including six new audit message > types shown below. > > #define AUDIT_MAC_UNLBL_ACCEPT 1406 > #define AUDIT_MAC_UNLBL_DENY 1407 > #define AUDIT_MAC_CIPSOV4_ADD 1408 > #define AUDIT_MAC

Re: [RFC 2/7] NetLabel: core network changes

On Thursday 22 June 2006 05:00, David Miller wrote: > >  #define NETLINK_GENERIC  16 > > +#define NETLINK_NETLABEL 17  /* Network packet labeling */ > >   > >  #define MAX_LINKS 32  > > Please use generic netlink. Since this is a security interface, shouldn't it be its