On Tue, Aug 22, 2023 at 12:29 PM Steve Grubb <[email protected]> wrote: > On Wednesday, August 16, 2023 9:53:58 AM EDT Paul Moore wrote: > > On Wed, Aug 16, 2023 at 6:10 AM Tetsuo Handa > > <[email protected]> wrote: > > > On 2023/08/16 3:44, Paul Moore wrote: > > > > On Fri, Aug 11, 2023 at 6:58 AM Tetsuo Handa > > > > <[email protected]> wrote: > > > >> When an unexpected system event occurs, the administrator may want to > > > >> identify which application triggered the event. For example, > > > >> unexpected process termination is still a real concern enough to write > > > >> articles like https://access.redhat.com/solutions/165993 . > > > >> > > > >> This patch adds a record which emits TOMOYO-like task history > > > >> information into the audit logs for better understanding of unexpected > > > >> system events. > > > >> > > > >> type=UNKNOWN[1340] msg=audit(1691750738.271:108): > > > >> history="name=swapper/0;pid=1;start=20230811194329=>name=init;pid=1;s > > > >> tart=20230811194343=>name=systemd;pid=1;start=20230811194439=>name=ssh > > > >> d;pid=3660;start=20230811104504=>name=sshd;pid=3767;start=202308111045 > > > >> 35" > > > > > > > > While I respect your persistence, we've talked about this quite a bit > > > > already in other threads. What you are trying to do is already > > > > possible with audit > > > > > > How? > > > > If you configure audit to record exec() and friends you should have a > > proper history of the processes started on the system. > > This is not a practical solution. Yes, technically this could be done. But it > would be a huge burden on the system to keep up with this. And it would bury > events you truly wanted to see effectively DoS'ing the audit system.
If the audit subsystem can't handle the load, that is a separate issue. -- paul-moore.com -- Linux-audit mailing list [email protected] https://listman.redhat.com/mailman/listinfo/linux-audit
