On Fri, Aug 11, 2023 at 6:58 AM Tetsuo Handa <penguin-ker...@i-love.sakura.ne.jp> wrote: > > When an unexpected system event occurs, the administrator may want to > identify which application triggered the event. For example, unexpected > process termination is still a real concern enough to write articles > like https://access.redhat.com/solutions/165993 . > > This patch adds a record which emits TOMOYO-like task history information > into the audit logs for better understanding of unexpected system events. > > type=UNKNOWN[1340] msg=audit(1691750738.271:108): > history="name=swapper/0;pid=1;start=20230811194329=>name=init;pid=1;start=20230811194343=>name=systemd;pid=1;start=20230811194439=>name=sshd;pid=3660;start=20230811104504=>name=sshd;pid=3767;start=20230811104535"
While I respect your persistence, we've talked about this quite a bit already in other threads. What you are trying to do is already possible with audit and/or TOMOYO enabled and configured so I see no reason why we want to merge this. I understand your frustration that TOMOYO is not enabled by your prefered distribution, but adding additional (and arguably redundant code) code to the upstream kernel is not a solution I am willing to support and maintain long term. > To be able to avoid bloating audit log files due to this information, this > patch uses audit_history= kernel command line parameter that controls max > length of history in bytes (default is 1024, and setting to 0 disables > recording and emitting). > > Unlike execve()'s argv record, records in this history information is > emitted as one string in order to reduce bloat of the audit log files. > This information can be split into an array using => as the tokenizer. > But don't expect that you can compare array elements throughout the whole > audit logs by splitting into an array, for old records get removed from > history when history became too long to append the newest record. This > history information is meant to be interpreted by humans rather than be > analyzed by programs. > > Signed-off-by: Tetsuo Handa <penguin-ker...@i-love.sakura.ne.jp> > --- > fs/exec.c | 1 + > include/linux/audit.h | 5 ++ > include/linux/sched.h | 1 + > include/uapi/linux/audit.h | 1 + > init/init_task.c | 7 +++ > kernel/audit.c | 1 + > kernel/auditsc.c | 108 +++++++++++++++++++++++++++++++++++++ > 7 files changed, 124 insertions(+) -- paul-moore.com -- Linux-audit mailing list Linux-audit@redhat.com https://listman.redhat.com/mailman/listinfo/linux-audit
