Add support to ausearch for searching on the containerid field in
records.
Signed-off-by: Richard Guy Briggs
---
src/aureport-options.c | 1 +
src/ausearch-llist.c | 2 +
src/ausearch-llist.h | 1 +
src/ausearch-match.c | 3 +
src/ausearch-options.c | 46 -
src/ausearc
A u64 container identifier has been added to the kernel view of tasks.
This allows container orchestrators to label tasks with a unique
tamperproof identifier that gets inherited by its children to be able to
track the provenance of actions by a container.
Add support to libaudit and auditctl for
Signed-off-by: Richard Guy Briggs
---
auparse/normalize_record_map.h | 1 +
1 file changed, 1 insertion(+)
diff --git a/auparse/normalize_record_map.h b/auparse/normalize_record_map.h
index 1507bb5..c529e2e 100644
--- a/auparse/normalize_record_map.h
+++ b/auparse/normalize_record_map.h
@@ -25,6
This defines the message number for the container ID info record should
the kernel headers not be up to date and gives the record number a name for
printing.
Signed-off-by: Richard Guy Briggs
---
lib/libaudit.h| 4
lib/msg_typetab.h | 1 +
2 files changed, 5 insertions(+)
diff --git a/
This defines the message number for the container ID registration record
should the kernel headers not be up to date, gives the record number a
name for printing and allows the record to be interpreted since it is in
the 1000 range like AUDIT_LOGIN.
Signed-off-by: Richard Guy Briggs
---
lib/liba
Add support for audit kernel container IDs to userspace tools.
See: https://github.com/linux-audit/audit-userspace/issues/40
See: https://github.com/linux-audit/audit-kernel/issues/32
See: https://github.com/linux-audit/audit-testsuite/issues/64
Richard Guy Briggs (5):
AUDIT_CONTAINER message t
Audit events could happen in a network namespace outside of a task
context due to packets received from the net that trigger an auditing
rule prior to being associated with a running task. The network
namespace could in use by multiple containers by association to the
tasks in that network namespa
Add container ID auxiliary record(s) to NETFILTER_PKT event standalone
records. Iterate through all potential container IDs associated with a
network namespace.
Signed-off-by: Richard Guy Briggs
---
kernel/audit.c | 1 +
kernel/auditsc.c | 2 ++
net/netfilter/xt_AUDIT.c | 15
Add container ID auxiliary records to secure computing and abnormal end
standalone records.
Signed-off-by: Richard Guy Briggs
---
kernel/auditsc.c | 10 --
1 file changed, 8 insertions(+), 2 deletions(-)
diff --git a/kernel/auditsc.c b/kernel/auditsc.c
index 7103d23..2f02ed9 100644
---
Standalone audit records have the timestamp and serial number generated
on the fly and as such are unique, making them standalone. This new
function audit_alloc_local() generates a local audit context that will
be used only for a standalone record and its auxiliary record(s). The
context is disca
Add container ID auxiliary record to mark, watch and tree rule
configuration standalone records.
Signed-off-by: Richard Guy Briggs
---
kernel/audit_fsnotify.c | 5 -
kernel/audit_tree.c | 5 -
kernel/audit_watch.c| 33 +++--
3 files changed, 27 inser
Implement audit kernel container ID.
This patchset is a second RFC based on the proposal document (V3)
posted:
https://www.redhat.com/archives/linux-audit/2018-January/msg00014.html
The first patch implements the proc fs write to set the audit container
ID of a process, emitting an AUDIT_
Add container ID support to ptrace and signals. In particular, the "op"
field provides a way to label the auxiliary record to which it is
associated.
Signed-off-by: Richard Guy Briggs
---
include/linux/audit.h | 16 +++-
kernel/audit.c| 12
kernel/audit.h
Add support for reading the container ID from the proc filesystem.
This is a read from the proc entry of the form /proc/PID/containerid
where PID is the process ID of the task whose container ID is sought.
The read expects up to a u64 value (unset: 18446744073709551615).
Signed-off-by: Richard G
Add container ID auxiliary records to configuration change, feature set change
and user generated standalone records.
Signed-off-by: Richard Guy Briggs
---
kernel/audit.c | 50 --
kernel/auditfilter.c | 5 -
2 files changed, 44 insertion
Add container ID auxiliary record to tty logging rule event standalone
records.
Signed-off-by: Richard Guy Briggs
---
drivers/tty/tty_audit.c | 5 -
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/drivers/tty/tty_audit.c b/drivers/tty/tty_audit.c
index e30aa6b..48ee4b7 100644
--
Implement the proc fs write to set the audit container ID of a process,
emitting an AUDIT_CONTAINER record to document the event.
This is a write from the container orchestrator task to a proc entry of
the form /proc/PID/containerid where PID is the process ID of the newly
created task that is to
Implement container ID filtering using the AUDIT_CONTAINERID field name
to send an 8-character string representing a u64 since the value field
is only u32.
Sending it as two u32 was considered, but gathering and comparing two
fields was more complex.
The feature indicator is AUDIT_FEATURE_BITMAP_
Create a new audit record AUDIT_CONTAINER_INFO to document the container
ID of a process if it is present.
Called from audit_log_exit(), syscalls are covered.
A sample raw event:
type=SYSCALL msg=audit(1519924845.499:257): arch=c03e syscall=257
success=yes exit=3 a0=ff9c a1=56374e1cef30
Check if a task has existing children or co-threads and refuse to set
the container ID if either are present. Failure to check this could
permit games where a child scratches its parent's back to work around
inheritance and double-setting policy.
Signed-off-by: Richard Guy Briggs
---
kernel/aud
20 matches
Mail list logo
