Re: Hundreds of null PATH records for *init_module syscall audit logs

On Tuesday, March 7, 2017 11:00:27 AM EST Richard Guy Briggs wrote: > On 2017-03-07 10:41, Steven Rostedt wrote: > > On Mon, 6 Mar 2017 22:39:54 -0500 > > > > Richard Guy Briggs wrote: > > > >From the output I've seen, it doesn't look particularly useful, but it > > > > > > was

Re: Hundreds of null PATH records for *init_module syscall audit logs

On Tuesday, March 7, 2017 11:00:27 AM EST Richard Guy Briggs wrote: > On 2017-03-07 10:41, Steven Rostedt wrote: > > On Mon, 6 Mar 2017 22:39:54 -0500 > > > > Richard Guy Briggs wrote: > > > >From the output I've seen, it doesn't look particularly useful, but it > > > > > > was useful to

Re: Hundreds of null PATH records for *init_module syscall audit logs

On Monday, March 6, 2017 4:49:21 PM EST Richard Guy Briggs wrote: > > Blocking PATH record on creation based on syscall *really* seems like > > a bad/dangerous idea. If we want to block all these tracefs/debugfs > > records, let's just block the fs. Although as of right now I'm not a > > fan of

Re: Hundreds of null PATH records for *init_module syscall audit logs

On Monday, March 6, 2017 4:49:21 PM EST Richard Guy Briggs wrote: > > Blocking PATH record on creation based on syscall *really* seems like > > a bad/dangerous idea. If we want to block all these tracefs/debugfs > > records, let's just block the fs. Although as of right now I'm not a > > fan of

Re: Hundreds of null PATH records for *init_module syscall audit logs

On Friday, March 3, 2017 4:14:54 PM EST Richard Guy Briggs wrote: > > > > 1 - In __audit_inode_child, return immedialy upon detecting TRACEFS > > > > and > > > > > > > > DEBUGFS (and potentially other filesystems identified, via s_magic). > > > > XFS creates them too. Who knows what else. > >

Re: Hundreds of null PATH records for *init_module syscall audit logs

On Friday, March 3, 2017 4:14:54 PM EST Richard Guy Briggs wrote: > > > > 1 - In __audit_inode_child, return immedialy upon detecting TRACEFS > > > > and > > > > > > > > DEBUGFS (and potentially other filesystems identified, via s_magic). > > > > XFS creates them too. Who knows what else. > >

Re: Hundreds of null PATH records for *init_module syscall audit logs

On 2017-03-07 14:09, Steven Rostedt wrote: > On Tue, 7 Mar 2017 13:34:47 -0500 > Richard Guy Briggs wrote: > > > On 2017-03-07 13:04, Steven Rostedt wrote: > > > On Tue, 7 Mar 2017 12:39:55 -0500 > > > Richard Guy Briggs wrote: > > > > > > > We normally

Re: Hundreds of null PATH records for *init_module syscall audit logs

On 2017-03-07 14:09, Steven Rostedt wrote: > On Tue, 7 Mar 2017 13:34:47 -0500 > Richard Guy Briggs wrote: > > > On 2017-03-07 13:04, Steven Rostedt wrote: > > > On Tue, 7 Mar 2017 12:39:55 -0500 > > > Richard Guy Briggs wrote: > > > > > > > We normally don't expect the init_module syscall

Re: Hundreds of null PATH records for *init_module syscall audit logs

On Tue, 7 Mar 2017 12:39:55 -0500 Richard Guy Briggs wrote: > We normally don't expect the init_module syscall to have any PATH > records associated with it, so when a few of them had hundreds or more > this was surprising. Hmm, how does the syscall get a path associated to it?

Re: Hundreds of null PATH records for *init_module syscall audit logs

On Tue, 7 Mar 2017 12:39:55 -0500 Richard Guy Briggs wrote: > We normally don't expect the init_module syscall to have any PATH > records associated with it, so when a few of them had hundreds or more > this was surprising. Hmm, how does the syscall get a path associated to it? Just by its

Re: Hundreds of null PATH records for *init_module syscall audit logs

On Tue, 7 Mar 2017 13:34:47 -0500 Richard Guy Briggs wrote: > On 2017-03-07 13:04, Steven Rostedt wrote: > > On Tue, 7 Mar 2017 12:39:55 -0500 > > Richard Guy Briggs wrote: > > > > > We normally don't expect the init_module syscall to have any PATH > > >

Re: Hundreds of null PATH records for *init_module syscall audit logs

On Tue, 7 Mar 2017 13:34:47 -0500 Richard Guy Briggs wrote: > On 2017-03-07 13:04, Steven Rostedt wrote: > > On Tue, 7 Mar 2017 12:39:55 -0500 > > Richard Guy Briggs wrote: > > > > > We normally don't expect the init_module syscall to have any PATH > > > records associated with it, so when a

Re: Hundreds of null PATH records for *init_module syscall audit logs

On 2017-03-07 13:04, Steven Rostedt wrote: > On Tue, 7 Mar 2017 12:39:55 -0500 > Richard Guy Briggs wrote: > > > We normally don't expect the init_module syscall to have any PATH > > records associated with it, so when a few of them had hundreds or more > > this was surprising.

Re: Hundreds of null PATH records for *init_module syscall audit logs

On 2017-03-07 13:04, Steven Rostedt wrote: > On Tue, 7 Mar 2017 12:39:55 -0500 > Richard Guy Briggs wrote: > > > We normally don't expect the init_module syscall to have any PATH > > records associated with it, so when a few of them had hundreds or more > > this was surprising. > > Hmm, how

Re: Hundreds of null PATH records for *init_module syscall audit logs

On 2017-03-07 11:20, Steven Rostedt wrote: > On Tue, 7 Mar 2017 11:00:27 -0500 > Richard Guy Briggs wrote: > > > On 2017-03-07 10:41, Steven Rostedt wrote: > > > On Mon, 6 Mar 2017 22:39:54 -0500 > > > Richard Guy Briggs wrote: > > > > > > > >From the output

Re: Hundreds of null PATH records for *init_module syscall audit logs

On 2017-03-07 11:20, Steven Rostedt wrote: > On Tue, 7 Mar 2017 11:00:27 -0500 > Richard Guy Briggs wrote: > > > On 2017-03-07 10:41, Steven Rostedt wrote: > > > On Mon, 6 Mar 2017 22:39:54 -0500 > > > Richard Guy Briggs wrote: > > > > > > > >From the output I've seen, it doesn't look

Re: Hundreds of null PATH records for *init_module syscall audit logs

On 2017-03-07 10:41, Steven Rostedt wrote: > On Mon, 6 Mar 2017 22:39:54 -0500 > Richard Guy Briggs wrote: > > > >From the output I've seen, it doesn't look particularly useful, but it > > was useful to finally see the source of those huge numbers of PATH > > records. Here's

Re: Hundreds of null PATH records for *init_module syscall audit logs

On 2017-03-07 10:41, Steven Rostedt wrote: > On Mon, 6 Mar 2017 22:39:54 -0500 > Richard Guy Briggs wrote: > > > >From the output I've seen, it doesn't look particularly useful, but it > > was useful to finally see the source of those huge numbers of PATH > > records. Here's an fpaste: > >

Re: Hundreds of null PATH records for *init_module syscall audit logs

On Tue, 7 Mar 2017 11:00:27 -0500 Richard Guy Briggs wrote: > On 2017-03-07 10:41, Steven Rostedt wrote: > > On Mon, 6 Mar 2017 22:39:54 -0500 > > Richard Guy Briggs wrote: > > > > > >From the output I've seen, it doesn't look particularly useful, but it

Re: Hundreds of null PATH records for *init_module syscall audit logs

On Tue, 7 Mar 2017 11:00:27 -0500 Richard Guy Briggs wrote: > On 2017-03-07 10:41, Steven Rostedt wrote: > > On Mon, 6 Mar 2017 22:39:54 -0500 > > Richard Guy Briggs wrote: > > > > > >From the output I've seen, it doesn't look particularly useful, but it > > > > > > > was useful to

Re: Hundreds of null PATH records for *init_module syscall audit logs

On Mon, 6 Mar 2017 22:39:54 -0500 Richard Guy Briggs wrote: > >From the output I've seen, it doesn't look particularly useful, but it > was useful to finally see the source of those huge numbers of PATH > records. Here's an fpaste: > >

Re: Hundreds of null PATH records for *init_module syscall audit logs

On Mon, 6 Mar 2017 22:39:54 -0500 Richard Guy Briggs wrote: > >From the output I've seen, it doesn't look particularly useful, but it > was useful to finally see the source of those huge numbers of PATH > records. Here's an fpaste: > >

Re: Hundreds of null PATH records for *init_module syscall audit logs

On Fri, 3 Mar 2017 19:19:47 -0500 Paul Moore wrote: > On Tue, Feb 28, 2017 at 10:37 PM, Richard Guy Briggs wrote: > > Sorry, I forgot to include Cc: in this cover letter for context to the 4 > > alt patches. > > > > On 2017-02-28 22:15, Richard Guy Briggs

Re: Hundreds of null PATH records for *init_module syscall audit logs

On Fri, 3 Mar 2017 19:19:47 -0500 Paul Moore wrote: > On Tue, Feb 28, 2017 at 10:37 PM, Richard Guy Briggs wrote: > > Sorry, I forgot to include Cc: in this cover letter for context to the 4 > > alt patches. > > > > On 2017-02-28 22:15, Richard Guy Briggs wrote: > >> The background to this

Re: Hundreds of null PATH records for *init_module syscall audit logs

On 2017-03-03 19:19, Paul Moore wrote: > On Tue, Feb 28, 2017 at 10:37 PM, Richard Guy Briggs wrote: > > Sorry, I forgot to include Cc: in this cover letter for context to the 4 > > alt patches. > > > > On 2017-02-28 22:15, Richard Guy Briggs wrote: > >> The background to this

Re: Hundreds of null PATH records for *init_module syscall audit logs

On 2017-03-03 19:19, Paul Moore wrote: > On Tue, Feb 28, 2017 at 10:37 PM, Richard Guy Briggs wrote: > > Sorry, I forgot to include Cc: in this cover letter for context to the 4 > > alt patches. > > > > On 2017-02-28 22:15, Richard Guy Briggs wrote: > >> The background to this is: > >>

Re: Hundreds of null PATH records for *init_module syscall audit logs

On 2017-03-06 17:30, Jessica Yu wrote: > +++ Richard Guy Briggs [06/03/17 16:49 -0500]: > >On 2017-03-03 19:22, Paul Moore wrote: > >>On Fri, Mar 3, 2017 at 4:14 PM, Richard Guy Briggs wrote: > >>> On 2017-02-28 23:15, Steve Grubb wrote: > On Tuesday, February 28, 2017

Re: Hundreds of null PATH records for *init_module syscall audit logs

On 2017-03-06 17:30, Jessica Yu wrote: > +++ Richard Guy Briggs [06/03/17 16:49 -0500]: > >On 2017-03-03 19:22, Paul Moore wrote: > >>On Fri, Mar 3, 2017 at 4:14 PM, Richard Guy Briggs wrote: > >>> On 2017-02-28 23:15, Steve Grubb wrote: > On Tuesday, February 28, 2017 10:37:04 PM EST

Re: Hundreds of null PATH records for *init_module syscall audit logs

On 2017-03-03 19:22, Paul Moore wrote: > On Fri, Mar 3, 2017 at 4:14 PM, Richard Guy Briggs wrote: > > On 2017-02-28 23:15, Steve Grubb wrote: > >> On Tuesday, February 28, 2017 10:37:04 PM EST Richard Guy Briggs wrote: > >> > Sorry, I forgot to include Cc: in this cover letter

Re: Hundreds of null PATH records for *init_module syscall audit logs

On 2017-03-03 19:22, Paul Moore wrote: > On Fri, Mar 3, 2017 at 4:14 PM, Richard Guy Briggs wrote: > > On 2017-02-28 23:15, Steve Grubb wrote: > >> On Tuesday, February 28, 2017 10:37:04 PM EST Richard Guy Briggs wrote: > >> > Sorry, I forgot to include Cc: in this cover letter for context to the

Re: Hundreds of null PATH records for *init_module syscall audit logs

+++ Richard Guy Briggs [06/03/17 16:49 -0500]: On 2017-03-03 19:22, Paul Moore wrote: On Fri, Mar 3, 2017 at 4:14 PM, Richard Guy Briggs wrote: > On 2017-02-28 23:15, Steve Grubb wrote: >> On Tuesday, February 28, 2017 10:37:04 PM EST Richard Guy Briggs wrote: >> > Sorry, I

Re: Hundreds of null PATH records for *init_module syscall audit logs

+++ Richard Guy Briggs [06/03/17 16:49 -0500]: On 2017-03-03 19:22, Paul Moore wrote: On Fri, Mar 3, 2017 at 4:14 PM, Richard Guy Briggs wrote: > On 2017-02-28 23:15, Steve Grubb wrote: >> On Tuesday, February 28, 2017 10:37:04 PM EST Richard Guy Briggs wrote: >> > Sorry, I forgot to include

Re: Hundreds of null PATH records for *init_module syscall audit logs

On Fri, Mar 3, 2017 at 4:14 PM, Richard Guy Briggs wrote: > On 2017-02-28 23:15, Steve Grubb wrote: >> On Tuesday, February 28, 2017 10:37:04 PM EST Richard Guy Briggs wrote: >> > Sorry, I forgot to include Cc: in this cover letter for context to the 4 >> > alt patches. >> > >> >

Re: Hundreds of null PATH records for *init_module syscall audit logs

On Fri, Mar 3, 2017 at 4:14 PM, Richard Guy Briggs wrote: > On 2017-02-28 23:15, Steve Grubb wrote: >> On Tuesday, February 28, 2017 10:37:04 PM EST Richard Guy Briggs wrote: >> > Sorry, I forgot to include Cc: in this cover letter for context to the 4 >> > alt patches. >> > >> > On 2017-02-28

Re: Hundreds of null PATH records for *init_module syscall audit logs

On Tue, Feb 28, 2017 at 10:37 PM, Richard Guy Briggs wrote: > Sorry, I forgot to include Cc: in this cover letter for context to the 4 > alt patches. > > On 2017-02-28 22:15, Richard Guy Briggs wrote: >> The background to this is: >>

Re: Hundreds of null PATH records for *init_module syscall audit logs

On Tue, Feb 28, 2017 at 10:37 PM, Richard Guy Briggs wrote: > Sorry, I forgot to include Cc: in this cover letter for context to the 4 > alt patches. > > On 2017-02-28 22:15, Richard Guy Briggs wrote: >> The background to this is: >> https://github.com/linux-audit/audit-kernel/issues/8 >>

Re: Hundreds of null PATH records for *init_module syscall audit logs

On 2017-02-28 23:15, Steve Grubb wrote: > On Tuesday, February 28, 2017 10:37:04 PM EST Richard Guy Briggs wrote: > > Sorry, I forgot to include Cc: in this cover letter for context to the 4 > > alt patches. > > > > On 2017-02-28 22:15, Richard Guy Briggs wrote: > > > The background to this is: >

Re: Hundreds of null PATH records for *init_module syscall audit logs

On 2017-02-28 23:15, Steve Grubb wrote: > On Tuesday, February 28, 2017 10:37:04 PM EST Richard Guy Briggs wrote: > > Sorry, I forgot to include Cc: in this cover letter for context to the 4 > > alt patches. > > > > On 2017-02-28 22:15, Richard Guy Briggs wrote: > > > The background to this is: >

Re: Hundreds of null PATH records for *init_module syscall audit logs

On Tuesday, February 28, 2017 10:37:04 PM EST Richard Guy Briggs wrote: > Sorry, I forgot to include Cc: in this cover letter for context to the 4 > alt patches. > > On 2017-02-28 22:15, Richard Guy Briggs wrote: > > The background to this is: > >

Re: Hundreds of null PATH records for *init_module syscall audit logs

On Tuesday, February 28, 2017 10:37:04 PM EST Richard Guy Briggs wrote: > Sorry, I forgot to include Cc: in this cover letter for context to the 4 > alt patches. > > On 2017-02-28 22:15, Richard Guy Briggs wrote: > > The background to this is: > >

Re: Hundreds of null PATH records for *init_module syscall audit logs

Sorry, I forgot to include Cc: in this cover letter for context to the 4 alt patches. On 2017-02-28 22:15, Richard Guy Briggs wrote: > The background to this is: > https://github.com/linux-audit/audit-kernel/issues/8 > > In short, audit SYSCALL records for *init_module were occasionally >

Re: Hundreds of null PATH records for *init_module syscall audit logs

Sorry, I forgot to include Cc: in this cover letter for context to the 4 alt patches. On 2017-02-28 22:15, Richard Guy Briggs wrote: > The background to this is: > https://github.com/linux-audit/audit-kernel/issues/8 > > In short, audit SYSCALL records for *init_module were occasionally >

Hundreds of null PATH records for *init_module syscall audit logs

The background to this is: https://github.com/linux-audit/audit-kernel/issues/8 In short, audit SYSCALL records for *init_module were occasionally accompanied by hundreds to thousands of null PATH records. I chatted with Al Viro and Eric Paris about this Friday afternoon and they seemed

Hundreds of null PATH records for *init_module syscall audit logs

The background to this is: https://github.com/linux-audit/audit-kernel/issues/8 In short, audit SYSCALL records for *init_module were occasionally accompanied by hundreds to thousands of null PATH records. I chatted with Al Viro and Eric Paris about this Friday afternoon and they seemed