Hi, I note that the unsolicited AUDIT_BPF audit event only provides a program id and operation (load or unload). For example, type=BPF msg=audit(21/12/22 09:03:35.765:439) : prog-id=75 op=LOAD or type=BPF msg=audit(21/12/22 09:04:05.883:460) : prog-id=0 op=UNLOAD I also note that the bpf auxillary structure (struct bpf_prog_aux) that holds the program id value, also holds a name (struct bpf_prog_aux->name) and uid (struct bpf_prog_aud->user_struct->uid). Perhaps adding these two items to the AUDIT_BPF event would provide more security context for this unsolicited event. Thoughts? RgdsBurn Alting
-- Linux-audit mailing list Linux-audit@redhat.com https://listman.redhat.com/mailman/listinfo/linux-audit
