On 2023/08/08 3:54, Steve Grubb wrote: >>> What I would suggest is to make a separate record: AUDIT_PROC_TREE that >>> describes process tree from the one killed up to the last known parent. >>> This way you can define your own format and SYSCALL can stay as everyone >>> expects it to look. In the EXECVE audit record, there is a precedent of >>> using agv[0]=xx argv[1]=xx argv[2]=yy and so on. If you want to make >>> these generally parsable without special knowledge of the record format, >>> I'd suggest something like it. >> >> Yes, >> https://lkml.kernel.org/r/201501202220.djj34834.oljohfmqoft...@i-love.saku >> RA.ne.jp used AUDIT_PROCHISTORY instead of LSM hooks, but that thread died >> there. > > I do not read that mail list. AUDIT_PROC_HIST or AUDIT_PROC_CHAIN or some > thing like that would be the better way to go. If someone wanted to see if > they have process history for a segfault, how would they do it with the > proposed record?
Avoid bloating of audit log files could be done when saving into audit log files, but avoiding overhead of tracking/recording this history information would need to be done using kernel command line options. Is there a kernel command line option that can configure whether to include (and what to be included into) this history information or not? If an LSM is used, a kernel command line option like lsm=tt can be used for telling the kernel to include this history information and kernel command line options like tt.size=512 tt.fields=name,stamp for telling the kernel max history length and fields to include. -- Linux-audit mailing list Linux-audit@redhat.com https://listman.redhat.com/mailman/listinfo/linux-audit
