[PATCH ghau40 v2 4/5] add ausearch containerid support

Add support to ausearch for searching on the containerid field in records. Signed-off-by: Richard Guy Briggs --- src/aureport-options.c | 1 + src/ausearch-llist.c | 2 + src/ausearch-llist.h | 1 + src/ausearch-match.c | 3 + src/ausearch-options.c | 46

[PATCH ghau40 v2 3/5] auditctl: add support for containerid filter

A u64 container identifier has been added to the kernel view of tasks. This allows container orchestrators to label tasks with a unique tamperproof identifier that gets inherited by its children to be able to track the provenance of actions by a container. Add support to libaudit and auditctl for

[PATCH ghau40 v2 5/5] start normalization containerid support

Signed-off-by: Richard Guy Briggs --- auparse/normalize_record_map.h | 1 + 1 file changed, 1 insertion(+) diff --git a/auparse/normalize_record_map.h b/auparse/normalize_record_map.h index 1507bb5..c529e2e 100644 --- a/auparse/normalize_record_map.h +++

[PATCH ghau40 v2 2/5] AUDIT_CONTAINER_INFO message type basic support

This defines the message number for the container ID info record should the kernel headers not be up to date and gives the record number a name for printing. Signed-off-by: Richard Guy Briggs --- lib/libaudit.h| 4 lib/msg_typetab.h | 1 + 2 files changed, 5

[PATCH ghau40 v2 1/5] AUDIT_CONTAINER message type basic support

This defines the message number for the container ID registration record should the kernel headers not be up to date, gives the record number a name for printing and allows the record to be interpreted since it is in the 1000 range like AUDIT_LOGIN. Signed-off-by: Richard Guy Briggs

[PATCH ghau40 v2 0/5] add support for audit container ID

Add support for audit kernel container IDs to userspace tools. See: https://github.com/linux-audit/audit-userspace/issues/40 See: https://github.com/linux-audit/audit-kernel/issues/32 See: https://github.com/linux-audit/audit-testsuite/issues/64 Richard Guy Briggs (5): AUDIT_CONTAINER message

[RFC PATCH ghak32 V2 11/13] audit: add support for containerid to network namespaces

Audit events could happen in a network namespace outside of a task context due to packets received from the net that trigger an auditing rule prior to being associated with a running task. The network namespace could in use by multiple containers by association to the tasks in that network

[RFC PATCH ghak32 V2 12/13] audit: NETFILTER_PKT: record each container ID associated with a netNS

Add container ID auxiliary record(s) to NETFILTER_PKT event standalone records. Iterate through all potential container IDs associated with a network namespace. Signed-off-by: Richard Guy Briggs --- kernel/audit.c | 1 + kernel/auditsc.c | 2 ++

[RFC PATCH ghak32 V2 06/13] audit: add support for non-syscall auxiliary records

Standalone audit records have the timestamp and serial number generated on the fly and as such are unique, making them standalone. This new function audit_alloc_local() generates a local audit context that will be used only for a standalone record and its auxiliary record(s). The context is

[RFC PATCH ghak32 V2 07/13] audit: add container aux record to watch/tree/mark

Add container ID auxiliary record to mark, watch and tree rule configuration standalone records. Signed-off-by: Richard Guy Briggs --- kernel/audit_fsnotify.c | 5 - kernel/audit_tree.c | 5 - kernel/audit_watch.c| 33 +++-- 3 files

[RFC PATCH ghak32 V2 00/13] audit: implement container id

Implement audit kernel container ID. This patchset is a second RFC based on the proposal document (V3) posted: https://www.redhat.com/archives/linux-audit/2018-January/msg00014.html The first patch implements the proc fs write to set the audit container ID of a process, emitting an

[RFC PATCH ghak32 V2 05/13] audit: add containerid support for ptrace and signals

Add container ID support to ptrace and signals. In particular, the "op" field provides a way to label the auxiliary record to which it is associated. Signed-off-by: Richard Guy Briggs --- include/linux/audit.h | 16 +++- kernel/audit.c| 12

[RFC PATCH ghak32 V2 13/13] debug audit: read container ID of a process

Add support for reading the container ID from the proc filesystem. This is a read from the proc entry of the form /proc/PID/containerid where PID is the process ID of the task whose container ID is sought. The read expects up to a u64 value (unset: 18446744073709551615). Signed-off-by: Richard

[RFC PATCH ghak32 V2 09/13] audit: add containerid support for config/feature/user records

Add container ID auxiliary records to configuration change, feature set change and user generated standalone records. Signed-off-by: Richard Guy Briggs --- kernel/audit.c | 50 -- kernel/auditfilter.c | 5 - 2 files

[RFC PATCH ghak32 V2 01/13] audit: add container id

Implement the proc fs write to set the audit container ID of a process, emitting an AUDIT_CONTAINER record to document the event. This is a write from the container orchestrator task to a proc entry of the form /proc/PID/containerid where PID is the process ID of the newly created task that is to

[RFC PATCH ghak32 V2 04/13] audit: add containerid filtering

Implement container ID filtering using the AUDIT_CONTAINERID field name to send an 8-character string representing a u64 since the value field is only u32. Sending it as two u32 was considered, but gathering and comparing two fields was more complex. The feature indicator is

[RFC PATCH ghak32 V2 03/13] audit: log container info of syscalls

Create a new audit record AUDIT_CONTAINER_INFO to document the container ID of a process if it is present. Called from audit_log_exit(), syscalls are covered. A sample raw event: type=SYSCALL msg=audit(1519924845.499:257): arch=c03e syscall=257 success=yes exit=3 a0=ff9c a1=56374e1cef30

[RFC PATCH ghak32 V2 02/13] audit: check children and threading before allowing containerid

Check if a task has existing children or co-threads and refuse to set the container ID if either are present. Failure to check this could permit games where a child scratches its parent's back to work around inheritance and double-setting policy. Signed-off-by: Richard Guy Briggs