On 2018-06-06 13:56, Steve Grubb wrote:
> On Wednesday, June 6, 2018 12:58:28 PM EDT Richard Guy Briggs wrote:
> > Implement the proc fs write to set the audit container identifier of a
> > process, emitting an AUDIT_CONTAINER_ID record to document the event.
> >
> > This is a write from the
On Tuesday, May 29, 2018 10:42:11 AM EDT Nimrod Ostrovsky wrote:
> Hello,
>
> I use the latest audit-userspace version on kernel 3.0.21, and Im trying
> to compile a dispatcher app for audispd.
> The problem is that PATH records does not have the "nametype" field in in
> this kernel version,
On Wednesday, June 6, 2018 12:58:29 PM EDT Richard Guy Briggs wrote:
> Create a new audit record AUDIT_CONTAINER to document the audit
> container identifier of a process if it is present.
>
> Called from audit_log_exit(), syscalls are covered.
>
> A sample raw event:
> type=SYSCALL
On Wednesday, June 6, 2018 12:58:28 PM EDT Richard Guy Briggs wrote:
> Implement the proc fs write to set the audit container identifier of a
> process, emitting an AUDIT_CONTAINER_ID record to document the event.
>
> This is a write from the container orchestrator task to a proc entry of
> the
Signed-off-by: Richard Guy Briggs
---
auparse/normalize_record_map.h | 1 +
1 file changed, 1 insertion(+)
diff --git a/auparse/normalize_record_map.h b/auparse/normalize_record_map.h
index 1507bb5..41f7c4a 100644
--- a/auparse/normalize_record_map.h
+++ b/auparse/normalize_record_map.h
@@
Add support to ausearch for searching on the containerid field in
records.
Signed-off-by: Richard Guy Briggs
---
src/aureport-options.c | 1 +
src/ausearch-llist.c | 2 +
src/ausearch-llist.h | 1 +
src/ausearch-match.c | 3 +
src/ausearch-options.c | 47 +++-
Add the audit_get_containerid() call analogous to audit_getloginuid()
and audit_get_session() calls to get our own audit container identifier.
This is intended as a debug patch, not to be upstreamed.
Signed-off-by: Richard Guy Briggs
---
docs/Makefile.am | 2 +-
A u64 container identifier has been added to the kernel view of tasks.
This allows container orchestrators to label tasks with a unique
tamperproof identifier that gets inherited by its children to be able to
track the provenance of actions by a container.
Add support to libaudit and auditctl for
Add support for audit kernel container identifiers to userspace tools.
The first and second add new record types. The third adds filter
support. The fourth and 5th start to add search support.
The last is intended for debugging and not for upstream.
See:
This defines the message number for the audit container identifier
registration record should the kernel headers not be up to date, gives
the record number a name for printing and allows the record to be
interpreted since it is in the 1000 range like AUDIT_LOGIN.
See:
This defines the message number for the audit container identifier
information record should the kernel headers not be up to date and gives
the record number a name for printing.
See: https://github.com/linux-audit/audit-userspace/issues/51
See:
Implement audit container identifier filtering using the AUDIT_CONTID
field name to send an 8-character string representing a u64 since the
value field is only u32.
Sending it as two u32 was considered, but gathering and comparing two
fields was more complex.
The feature indicator is
Add audit container identifier auxiliary record to tty logging rule
event standalone records.
Signed-off-by: Richard Guy Briggs
---
drivers/tty/tty_audit.c | 5 -
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/drivers/tty/tty_audit.c b/drivers/tty/tty_audit.c
index
Add audit container identifier auxiliary record(s) to NETFILTER_PKT
event standalone records. Iterate through all potential audit container
identifiers associated with a network namespace.
Signed-off-by: Richard Guy Briggs
---
include/linux/audit.h| 5 +
kernel/audit.c | 20
Audit events could happen in a network namespace outside of a task
context due to packets received from the net that trigger an auditing
rule prior to being associated with a running task. The network
namespace could in use by multiple containers by association to the
tasks in that network
Signed-off-by: Richard Guy Briggs
---
net/rfkill/core.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/net/rfkill/core.c b/net/rfkill/core.c
index 59d0eb9..e89a009 100644
--- a/net/rfkill/core.c
+++ b/net/rfkill/core.c
@@ -494,7 +494,7 @@ void rfkill_remove_epo_lock(void)
Add support for reading the audit container identifier from the proc
filesystem.
This is a read from the proc entry of the form
/proc/PID/audit_containerid where PID is the process ID of the task
whose audit container identifier is sought.
The read expects up to a u64 value (unset:
Implement the proc fs write to set the audit container identifier of a
process, emitting an AUDIT_CONTAINER_ID record to document the event.
This is a write from the container orchestrator task to a proc entry of
the form /proc/PID/audit_containerid where PID is the process ID of the
newly
Add audit container identifier support to ptrace and signals. In
particular, the "op" field provides a way to label the auxiliary record
to which it is associated.
Signed-off-by: Richard Guy Briggs
---
include/linux/audit.h | 11 +--
kernel/audit.c| 13 +++--
Implement kernel audit container identifier.
This patchset is a third based on the proposal document (V3)
posted:
https://www.redhat.com/archives/linux-audit/2018-January/msg00014.html
The first patch implements the proc fs write to set the audit container
identifier of a process,
Standalone audit records have the timestamp and serial number generated
on the fly and as such are unique, making them standalone. This new
function audit_alloc_local() generates a local audit context that will
be used only for a standalone record and its auxiliary record(s). The
context is
Create a new audit record AUDIT_CONTAINER to document the audit
container identifier of a process if it is present.
Called from audit_log_exit(), syscalls are covered.
A sample raw event:
type=SYSCALL msg=audit(1519924845.499:257): arch=c03e syscall=257
success=yes exit=3 a0=ff9c
On Tue, 2018-06-05 at 18:18 -0400, Paul Moore wrote:
> On Tue, Jun 5, 2018 at 10:15 AM, Mimi Zohar wrote:
> > Hi Paul,
> >
> > On Mon, 2018-06-04 at 20:21 -0400, Paul Moore wrote:
> >> On Mon, Jun 4, 2018 at 4:54 PM, Stefan Berger
> >> wrote:
> >> > The AUDIT_INTEGRITY_RULE is used for auditing
Hello,
I use the latest audit-userspace version on kernel 3.0.21, and Im trying
to compile a dispatcher app for audispd.
The problem is that PATH records does not have the "nametype" field in in
this kernel version, and I want to be able to distinct between "parent"
PATH records and any other
24 matches
Mail list logo
