On August 24, 2023 6:24:47 PM Tetsuo Handa
<penguin-ker...@i-love.sakura.ne.jp> wrote:
On 2023/08/24 23:26, Paul Moore wrote:
On Thu, Aug 24, 2023 at 9:47 AM Tetsuo Handa
<penguin-ker...@i-love.sakura.ne.jp> wrote:
On 2023/08/24 22:39, Tetsuo Handa wrote:
(1) Catch _all_ process creations (both via fork()/clone() system calls and
kthread_create() from the kernel), and duplicate the history upon process
creation.
Create an audit filter rule to record the syscalls you are interested
in logging.
I can't interpret what you are talking about. Please show me using command
line.
I'm not interested in logging the syscalls just for maintaining process history
information.
That's unfortunate because I'm not interested in merging your patch
when we already have an audit log which can be used to trace process
history information.
It is unfortunate that you continue ignoring the
How can auditd generate logs that are not triggered via syscalls?
line. I know how to configure syscall rules using "-S" option. But I do
not know how to configure non syscall rules (such as process creation via
kthread_create(), process termination due to tty hangup or OOM killer).
At this point you've exhausted my goodwill so I would suggest simply
reading the audit code, manages, and experimenting with a running system to
understand how things work, especially for non-syscall records.
I repeat:
The auditd is not capable of generating _all_ records needed for maintaining
this information.
The logs generated via system call auditing is just an example user
of this information.
I repeat:
If you find a place in the code where you believe there should be an audit
record, post a patch and we can discuss it.
--
paul-moore.com
--
Linux-audit mailing list
Linux-audit@redhat.com
https://listman.redhat.com/mailman/listinfo/linux-audit