On 2023/08/16 22:53, Paul Moore wrote: > On Wed, Aug 16, 2023 at 6:10 AM Tetsuo Handa > <penguin-ker...@i-love.sakura.ne.jp> wrote: >> On 2023/08/16 3:44, Paul Moore wrote: >>> On Fri, Aug 11, 2023 at 6:58 AM Tetsuo Handa >>> <penguin-ker...@i-love.sakura.ne.jp> wrote: >>>> >>>> When an unexpected system event occurs, the administrator may want to >>>> identify which application triggered the event. For example, unexpected >>>> process termination is still a real concern enough to write articles >>>> like https://access.redhat.com/solutions/165993 . >>>> >>>> This patch adds a record which emits TOMOYO-like task history information >>>> into the audit logs for better understanding of unexpected system events. >>>> >>>> type=UNKNOWN[1340] msg=audit(1691750738.271:108): >>>> history="name=swapper/0;pid=1;start=20230811194329=>name=init;pid=1;start=20230811194343=>name=systemd;pid=1;start=20230811194439=>name=sshd;pid=3660;start=20230811104504=>name=sshd;pid=3767;start=20230811104535" >>> >>> While I respect your persistence, we've talked about this quite a bit >>> already in other threads. What you are trying to do is already >>> possible with audit >> >> How? > > If you configure audit to record exec() and friends you should have a > proper history of the processes started on the system.
That is a "No LSM modules other than SELinux is needed because SELinux can do everything" assertion. People propose different approaches/implementations because they can't afford utilizing/configuring existing approaches/implementations. Your assertion is a fatal problem for merging "Re: [PATCH v13 00/11] LSM: Three basic syscalls" at https://lkml.kernel.org/r/cahc9vhq4ttksltbcrxnzsbr1fp9uz_guhmo0bs37lcdybmu...@mail.gmail.com . Please please allow LSM modules like https://lkml.kernel.org/r/41d03271-ff8a-9888-11de-a7f53da47...@i-love.sakura.ne.jp to obtain a stable LSM ID if you don't want to support something that possibly have an alternative. -- Linux-audit mailing list Linux-audit@redhat.com https://listman.redhat.com/mailman/listinfo/linux-audit
