Re: [RFC PATCH V1 01/12] audit: add container id

On 2018-03-15 16:27, Stefan Berger wrote: > On 03/01/2018 02:41 PM, Richard Guy Briggs wrote: > > Implement the proc fs write to set the audit container ID of a process, > > emitting an AUDIT_CONTAINER record to document the event. > > > > This is a write from the container orchestrator task to a

Re: [RFC PATCH V1 01/12] audit: add container id

On 03/01/2018 02:41 PM, Richard Guy Briggs wrote: Implement the proc fs write to set the audit container ID of a process, emitting an AUDIT_CONTAINER record to document the event. This is a write from the container orchestrator task to a proc entry of the form /proc/PID/containerid where PID is

Re: Matching close() system calls

On Wed, 14 Mar 2018 15:51:44 +0300 Kerem Aksu wrote: > Hello, > > I am trying to trace files by using this rule : > "-a always,exit -F arch=b64 -S read,write,open,close -k file_op" > > I can trace open() system calls with the "type=path" log occurred > with the same ID as the open() system cal

Matching close() system calls

Hello, I am trying to trace files by using this rule : "-a always,exit -F arch=b64 -S read,write,open,close -k file_op" I can trace open() system calls with the "type=path" log occurred with the same ID as the open() system call. I can learn which file is opened by that open() system call. But

Re: [PATCH] audit: set TIF_AUDIT_SYSCALL only if audit filter has been populated

On Wed, Mar 14, 2018 at 12:28 AM, Jiri Kosina wrote: > On Wed, 14 Mar 2018, Andy Lutomirski wrote: > >> > Yes...I wished I was in on the beginning of this discussion. Here's the >> > problem. We need all tasks auditable unless specifically dismissed as >> > uninteresting. This would be a task,neve

Re: [PATCH ghak21 V2 3/4] audit: add refused symlink to audit_names

On 2018-03-13 16:24, Paul Moore wrote: > On Tue, Mar 13, 2018 at 6:52 AM, Richard Guy Briggs wrote: > > On 2018-03-13 11:38, Steve Grubb wrote: > >> On Tue, 13 Mar 2018 06:11:08 -0400 > >> Richard Guy Briggs wrote: > >> > >> > On 2018-03-13 09:35, Steve Grubb wrote: > >> > > On Mon, 12 Mar 2018 1

[PATCH ghak21 V3 1/2] audit: remove path param from link denied function

In commit 45b578fe4c3cade6f4ca1fc934ce199afd857edc ("audit: link denied should not directly generate PATH record") the need for the struct path *link parameter was removed. Remove the now useless struct path argument. Signed-off-by: Richard Guy Briggs --- fs/namei.c| 2 +- include/li

[PATCH ghak21 V3 2/2] audit: add refused symlink to audit_names

Audit link denied events for symlinks had duplicate PATH records rather than just updating the existing PATH record. Update the symlink's PATH record with the current dentry and inode information. See: https://github.com/linux-audit/audit-kernel/issues/21 Signed-off-by: Richard Guy Briggs --- f

[PATCH ghak21 V3 0/2] audit: address ANOM_LINK excess records

This V3 is a supplement to patches 1 and 2 of v1 already merged. Audit link denied events were being unexpectedly produced in a disjoint way when audit was disabled, and when they were expected, there were duplicate PATH records. This patchset addresses both issues for symlinks and hardlinks. Th