filename not audited for openat() on F28

2018-04-20 Thread Jiri Jaburek
(Please CC me on replies.) Hello, I'm trying to run the audit-test suite on Fedora 28 and am running into it expecting a name= field in the SYSCALL entry. augrok --seek=697600 -m1 type==SYSCALL syscall=openat success=no pid=3951 auid=1000 uid=0 euid=0 suid=0 fsuid=0 gid=0

Re: filename not audited for openat() on F28

2018-04-20 Thread Steve Grubb
On Friday, April 20, 2018 9:20:29 AM EDT Jiri Jaburek wrote: > (Please CC me on replies.) > > Hello, > I'm trying to run the audit-test suite on Fedora 28 and am running into > it expecting a name= field in the SYSCALL entry. > > augrok --seek=697600 -m1 type==SYSCALL syscall=openat succe

Re: [PATCH ghak80 V1] audit: add syscall information to FEATURE_CHANGE records

2018-04-20 Thread Richard Guy Briggs
On 2018-04-17 18:06, Paul Moore wrote: > On Wed, Apr 11, 2018 at 8:46 AM, Richard Guy Briggs wrote: > > Tie syscall information to FEATURE_CHANGE calls since it is a result of > > user action. > > > > See: https://github.com/linux-audit/audit-kernel/issues/80 > > > > Signed-off-by: Richard Guy Bri

Re: [PATCH ghak80 V1] audit: add syscall information to FEATURE_CHANGE records

2018-04-20 Thread Paul Moore
On Fri, Apr 20, 2018 at 9:46 AM, Richard Guy Briggs wrote: > On 2018-04-17 18:06, Paul Moore wrote: >> On Wed, Apr 11, 2018 at 8:46 AM, Richard Guy Briggs wrote: >> > Tie syscall information to FEATURE_CHANGE calls since it is a result of >> > user action. >> > >> > See: https://github.com/linux-

Re: [RFC PATCH ghak32 V2 10/13] audit: add containerid support for seccomp and anom_abend records

2018-04-20 Thread Paul Moore
On Thu, Apr 19, 2018 at 8:42 PM, Richard Guy Briggs wrote: > On 2018-04-18 21:31, Paul Moore wrote: >> On Fri, Mar 16, 2018 at 5:00 AM, Richard Guy Briggs wrote: >> > Add container ID auxiliary records to secure computing and abnormal end >> > standalone records. >> > >> > Signed-off-by: Richard

Re: [RFC PATCH ghak32 V2 05/13] audit: add containerid support for ptrace and signals

2018-04-20 Thread Paul Moore
On Thu, Apr 19, 2018 at 9:03 PM, Richard Guy Briggs wrote: > On 2018-04-18 20:32, Paul Moore wrote: >> On Fri, Mar 16, 2018 at 5:00 AM, Richard Guy Briggs wrote: ... >> > /* >> > * audit_log_container_info - report container info >> > - * @tsk: task to be recorded >> > * @context: task or

Re: [RFC PATCH ghak32 V2 06/13] audit: add support for non-syscall auxiliary records

2018-04-20 Thread Paul Moore
On Thu, Apr 19, 2018 at 9:23 PM, Richard Guy Briggs wrote: > On 2018-04-18 20:39, Paul Moore wrote: >> On Fri, Mar 16, 2018 at 5:00 AM, Richard Guy Briggs wrote: >> > Standalone audit records have the timestamp and serial number generated >> > on the fly and as such are unique, making them standa

Re: [PATCH ghak80 V1] audit: add syscall information to FEATURE_CHANGE records

2018-04-20 Thread Richard Guy Briggs
On 2018-04-20 11:58, Paul Moore wrote: > On Fri, Apr 20, 2018 at 9:46 AM, Richard Guy Briggs wrote: > > On 2018-04-17 18:06, Paul Moore wrote: > >> On Wed, Apr 11, 2018 at 8:46 AM, Richard Guy Briggs > >> wrote: > >> > Tie syscall information to FEATURE_CHANGE calls since it is a result of > >>

Re: [PATCH ghak80 V1] audit: add syscall information to FEATURE_CHANGE records

2018-04-20 Thread Paul Moore
On Fri, Apr 20, 2018 at 1:48 PM, Richard Guy Briggs wrote: > On 2018-04-20 11:58, Paul Moore wrote: >> On Fri, Apr 20, 2018 at 9:46 AM, Richard Guy Briggs wrote: >> > On 2018-04-17 18:06, Paul Moore wrote: >> >> On Wed, Apr 11, 2018 at 8:46 AM, Richard Guy Briggs >> >> wrote: >> >> > Tie syscal

Re: [RFC PATCH ghak32 V2 11/13] audit: add support for containerid to network namespaces

2018-04-20 Thread Richard Guy Briggs
On 2018-04-18 21:46, Paul Moore wrote: > On Fri, Mar 16, 2018 at 5:00 AM, Richard Guy Briggs wrote: > > Audit events could happen in a network namespace outside of a task > > context due to packets received from the net that trigger an auditing > > rule prior to being associated with a running tas

Re: [RFC PATCH ghak32 V2 11/13] audit: add support for containerid to network namespaces

2018-04-20 Thread Paul Moore
On Fri, Apr 20, 2018 at 4:02 PM, Richard Guy Briggs wrote: > On 2018-04-18 21:46, Paul Moore wrote: >> On Fri, Mar 16, 2018 at 5:00 AM, Richard Guy Briggs wrote: >> > Audit events could happen in a network namespace outside of a task >> > context due to packets received from the net that trigger

Re: [RFC PATCH ghak32 V2 11/13] audit: add support for containerid to network namespaces

2018-04-20 Thread Richard Guy Briggs
On 2018-04-20 16:22, Paul Moore wrote: > On Fri, Apr 20, 2018 at 4:02 PM, Richard Guy Briggs wrote: > > On 2018-04-18 21:46, Paul Moore wrote: > >> On Fri, Mar 16, 2018 at 5:00 AM, Richard Guy Briggs > >> wrote: > >> > Audit events could happen in a network namespace outside of a task > >> > con