Re: [RFC PATCH ghak90 (was ghak32) V3 02/10] audit: log container info of syscalls

On Sunday, July 22, 2018 4:55:10 PM EDT Richard Guy Briggs wrote: > On 2018-07-22 09:32, Steve Grubb wrote: > > On Saturday, July 21, 2018 4:29:30 PM EDT Richard Guy Briggs wrote: > > > > > + * audit_log_contid - report container info > > > > > + * @tsk: tas

Re: [RFC PATCH ghak90 (was ghak32) V3 02/10] audit: log container info of syscalls

On Wednesday, June 6, 2018 12:58:29 PM EDT Richard Guy Briggs wrote: > Create a new audit record AUDIT_CONTAINER to document the audit > container identifier of a process if it is present. > > Called from audit_log_exit(), syscalls are covered. > > A sample raw event: > type=SYSCALL

Re: [RFC PATCH ghak32 V2 03/13] audit: log container info of syscalls

On Thursday, May 17, 2018 5:41:02 PM EDT Richard Guy Briggs wrote: > On 2018-05-17 17:09, Steve Grubb wrote: > > On Fri, 16 Mar 2018 05:00:30 -0400 > > > > Richard Guy Briggs <r...@redhat.com> wrote: > > > Create a new audit record AUDIT_CONTAINER_INF

Re: [RFC PATCH ghak32 V2 13/13] debug audit: read container ID of a process

On Friday, March 16, 2018 5:00:40 AM EDT Richard Guy Briggs wrote: > Add support for reading the container ID from the proc filesystem. I think this could be useful in general. Please consider this to be part of the full patch set and not something merely used to debug the patches. -Steve >

Re: [RFC PATCH ghak32 V2 01/13] audit: add container id

On Fri, 18 May 2018 11:21:06 -0400 Richard Guy Briggs <r...@redhat.com> wrote: > On 2018-05-18 09:56, Steve Grubb wrote: > > On Thu, 17 May 2018 17:56:00 -0400 > > Richard Guy Briggs <r...@redhat.com> wrote: > > > > > > During syscall ev

Re: [RFC PATCH ghak32 V2 01/13] audit: add container id

On Thu, 17 May 2018 17:56:00 -0400 Richard Guy Briggs wrote: > > During syscall events, the path info is returned in a a record > > simply called AUDIT_PATH, cwd info is returned in AUDIT_CWD. So, > > rather than calling the record that gets attached to everything > >

Re: [RFC PATCH ghak32 V2 03/13] audit: log container info of syscalls

On Fri, 16 Mar 2018 05:00:30 -0400 Richard Guy Briggs wrote: > Create a new audit record AUDIT_CONTAINER_INFO to document the > container ID of a process if it is present. As mentioned in a previous email, I think AUDIT_CONTAINER is more suitable for the container record. One

Re: [RFC PATCH ghak32 V2 01/13] audit: add container id

On Fri, 16 Mar 2018 05:00:28 -0400 Richard Guy Briggs wrote: > Implement the proc fs write to set the audit container ID of a > process, emitting an AUDIT_CONTAINER record to document the event. > > This is a write from the container orchestrator task to a proc entry > of the

Re: RFC(v2): Audit Kernel Container IDs

On Monday, December 11, 2017 11:30:57 AM EST Eric Paris wrote: > > Because a container doesn't have to use namespaces to be a container > > you still need a mechanism for a process to declare that it is in > > fact > > in a container, and to identify the container. > > I like the idea but I'm

Re: RFC(v2): Audit Kernel Container IDs

On Thursday, October 19, 2017 7:11:33 PM EDT Aleksa Sarai wrote: > >>> The registration is a pseudo filesystem (proc, since PID tree already > >>> exists) write of a u8[16] UUID representing the container ID to a file > >>> representing a process that will become the first process in a new > >>>

Re: RFC(v2): Audit Kernel Container IDs

On Tuesday, October 17, 2017 1:57:43 PM EDT James Bottomley wrote: > > > > The idea is that processes spawned into a container would be > > > > labelled by the container orchestration system. It's unclear > > > > what should happen to processes using nsenter after the fact, but > > > > policy for

Re: RFC(v2): Audit Kernel Container IDs

On Tuesday, October 17, 2017 12:43:18 PM EDT Casey Schaufler wrote: > > The idea is that processes spawned into a container would be labelled > > by the container orchestration system. It's unclear what should happen > > to processes using nsenter after the fact, but policy for that should > > be

Re: RFC(v2): Audit Kernel Container IDs

On Monday, October 16, 2017 8:33:40 PM EDT Richard Guy Briggs wrote: > On 2017-10-12 16:33, Casey Schaufler wrote: > > On 10/12/2017 7:14 AM, Richard Guy Briggs wrote: > > > Containers are a userspace concept. The kernel knows nothing of them. > > > > > > The Linux audit system needs a way to be

Re: RFC(v2): Audit Kernel Container IDs

On Thursday, October 12, 2017 10:14:00 AM EDT Richard Guy Briggs wrote: > Containers are a userspace concept. The kernel knows nothing of them. > > The Linux audit system needs a way to be able to track the container > provenance of events and actions. Audit needs the kernel's help to do >

Re: [PATCH] XFRM: Display the audited SPI value in host byte order

On Wednesday 12 December 2007 14:05:42 Paul Moore wrote: This patch corrects this inconsistency by writing the SPI values to the audit record in host byte order. Looks OK, to me, too. -Steve -- To unsubscribe from this list: send the line unsubscribe netdev in the body of a message to [EMAIL

Re: [PATCH]: revised make xfrm_audit_log more generic patch

On Tuesday 24 July 2007 12:33:26 pm Joy Latten wrote: It also wouldn't hurt to change the text being sent to this function to have a hyphen instead of a space, so SPD delete becomes SPD-delete. This keeps the parser happy. Steve, more for my education, should all entries have this sort of

Re: [PATCH] make xfrm_audit_log more generic

On Monday 23 July 2007 13:49:17 Joy Latten wrote: Will this cause existing applications to break? Perhaps someone in audit list could help answer this. Probably. Its better to take a new number and let the old ones sit idle. -Steve - To unsubscribe from this list: send the line unsubscribe

Re: [PATCH 1/1] add auditing to ipsec

On Monday 27 November 2006 14:11, Joy Latten wrote: Please let me know if this is acceptable. From an audit perspective, it looks good. -Steve - To unsubscribe from this list: send the line unsubscribe netdev in the body of a message to [EMAIL PROTECTED] More majordomo info at

Re: [PATCH 1/1] add auditing to ipsec

On Monday 27 November 2006 17:26, Joy Latten wrote: This patch adds auditing to ipsec in support of labeled ipsec. The audit changes in this patch look good to me. -Steve Grubb - To unsubscribe from this list: send the line unsubscribe netdev in the body of a message to [EMAIL PROTECTED] More

Re: [PATCH 1/1] NetLabel: add audit support for configuration changes

On Thursday 28 September 2006 14:03, [EMAIL PROTECTED] wrote: This patch adds audit support to NetLabel, including six new audit message types shown below. #define AUDIT_MAC_UNLBL_ACCEPT 1406 #define AUDIT_MAC_UNLBL_DENY 1407 #define AUDIT_MAC_CIPSOV4_ADD 1408 #define

Re: [PATCH 1/1] NetLabel: audit fixups due to delayed feedback

On Friday 29 September 2006 18:39, [EMAIL PROTECTED] wrote: This should make NetLabel more consistent with other kernel generated audit messages specifying configuration changes. OK, this looks better. We may fine tune the messages later after we try it out, but all the issues I saw are fixed.

Re: [RFC 2/7] NetLabel: core network changes

On Thursday 22 June 2006 05:00, David Miller wrote:  #define NETLINK_GENERIC  16 +#define NETLINK_NETLABEL 17  /* Network packet labeling */    #define MAX_LINKS 32  Please use generic netlink. Since this is a security interface, shouldn't it be its own