On Thu, Feb 2, 2017 at 9:37 PM, Tyler Hicks <tyhi...@canonical.com> wrote: > This patch set is the second revision of the following two previously > submitted patch sets: > > http://lkml.kernel.org/r/1483375990-14948-1-git-send-email-tyhi...@canonical.com > http://lkml.kernel.org/r/1483377999-15019-2-git-send-email-tyhi...@canonical.com > > The patch set aims to address some known deficiencies in seccomp's current > logging capabilities: > > 1. Inability to log all filter actions. > 2. Inability to selectively enable filtering; e.g. devs want noisy logging, > users want relative quiet. > 3. Consistent behavior with audit enabled and disabled. > 4. Inability to easily develop a filter due to the lack of a > permissive/complain mode. > > The first three items were outlined by Paul Moore and are issues that I agree > with. The last one is one that I'm particularly interested in. > > I deviated a little from the plan that he laid out to address the third issue. > Looking back at Paul's feedback, he wanted a way to log seccomp actions even > when the audit subsystem is disabled at build time. I felt like the bigger > problem is that, while it is common for kernels to be built with audit > support, > it is far less common to actually have auditd running. Therefore, my approach > was to improve the situation when kernel audit support is enabled at build > time > but audit_enabled is false at runtime. The audit subsystem forwards messages > onto syslog in that situation.
I'm pretty happy with this series; it's pretty close to something I'd Ack. :) I think this will get us a lot of what people have asked for without too much pain. I'll add some thoughts on each of the specific patches... -Kees -- Kees Cook Pixel Security -- Linux-audit mailing list Linux-audit@redhat.com https://www.redhat.com/mailman/listinfo/linux-audit