On Thu, Aug 24, 2023 at 9:39 AM Tetsuo Handa <penguin-ker...@i-love.sakura.ne.jp> wrote: > On 2023/08/24 22:30, Paul Moore wrote: > > On Thu, Aug 24, 2023 at 9:21 AM Tetsuo Handa > > <penguin-ker...@i-love.sakura.ne.jp> wrote: > >> > >> On 2023/08/23 23:48, Paul Moore wrote: > >>> We've already discussed this both from a kernel load perspective (it > >>> should be able to handle the load, if not that is a separate problem > >>> to address) as well as the human perspective (if you want auditing, > >>> you need to be able to handle auditing). > >> > >> No. You haven't shown us audit rules that can satisfy requirements shown > >> below. > >> > >> (1) Catch _all_ process creations (both via fork()/clone() system calls > >> and > >> kthread_create() from the kernel), and duplicate the history upon > >> process > >> creation. > > > > Create an audit filter rule to record the syscalls you are interested > > in logging. > > I can't interpret what you are talking about. Please show me using command > line.
I'm sorry Tetsuo, but I've already spent far too much time going in circles with you on this topic. As you are capable of submitting kernel patches, you should be capable of reading a manpage and experimenting yourself: https://man7.org/linux/man-pages/man8/auditctl.8.html -- paul-moore.com -- Linux-audit mailing list Linux-audit@redhat.com https://listman.redhat.com/mailman/listinfo/linux-audit
