On 2023/08/24 22:30, Paul Moore wrote: > On Thu, Aug 24, 2023 at 9:21 AM Tetsuo Handa > <penguin-ker...@i-love.sakura.ne.jp> wrote: >> >> On 2023/08/23 23:48, Paul Moore wrote: >>> We've already discussed this both from a kernel load perspective (it >>> should be able to handle the load, if not that is a separate problem >>> to address) as well as the human perspective (if you want auditing, >>> you need to be able to handle auditing). >> >> No. You haven't shown us audit rules that can satisfy requirements shown >> below. >> >> (1) Catch _all_ process creations (both via fork()/clone() system calls and >> kthread_create() from the kernel), and duplicate the history upon >> process >> creation. > > Create an audit filter rule to record the syscalls you are interested > in logging.
I can't interpret what you are talking about. Please show me using command line. > >> (2) Catch _all_ execve(), and update the history upon successful execve(). > > Create an audit filter rule to record the syscalls you are interested > in logging. > >> (3) Catch _all_ process terminations (both exit()/exit_group()/kill() >> system >> calls and internal reasons such as OOM killer), and erase the history >> upon >> process termination. > > Create an audit filter rule to record the events you are interested in > logging, if there is an event which isn't being recorded feel free to > submit a patch to generate an audit record. > -- Linux-audit mailing list Linux-audit@redhat.com https://listman.redhat.com/mailman/listinfo/linux-audit
