On 2018-05-31 17:29, Steve Grubb wrote:
> On Thursday, May 31, 2018 4:23:09 PM EDT Richard Guy Briggs wrote:
> > The AUDIT_FILTER_TYPE name is vague and misleading due to not describing
> > where or when the filter is applied and obsolete due to its available
> > filter fields having been expanded.
On Thursday, May 31, 2018 4:23:09 PM EDT Richard Guy Briggs wrote:
> The AUDIT_FILTER_TYPE name is vague and misleading due to not describing
> where or when the filter is applied and obsolete due to its available
> filter fields having been expanded.
>
> Userspace has already renamed it from AUDI
On 2018-05-30 10:45, Ondrej Mosnacek wrote:
> This patch allows the AUDIR_DIR field to be used also with the exclude
> filter.
>
> Not-yet-signed-off-by: Ondrej Mosnacek
> ---
> kernel/audit.c | 5 +++--
> kernel/audit.h | 32 +++-
> kernel/audit_tree.c
Since core dump events are triggered by user activity, tie the
ANOM_ABEND record to the syscall record to collect all records from the
same event.
See: https://github.com/linux-audit/audit-kernel/issues/88
Signed-off-by: Richard Guy Briggs
---
kernel/auditsc.c | 2 +-
1 file changed, 1 insertio
Since seccomp events are triggered by user activity, tie the SECCOMP
record to the syscall record to collect all records from the same event.
See: https://github.com/linux-audit/audit-kernel/issues/87
Signed-off-by: Richard Guy Briggs
---
kernel/auditsc.c | 2 +-
1 file changed, 1 insertion(+),
The AUDIT_FILTER_TYPE name is vague and misleading due to not describing
where or when the filter is applied and obsolete due to its available
filter fields having been expanded.
Userspace has already renamed it from AUDIT_FILTER_TYPE to
AUDIT_FILTER_EXCLUDE without checking if it already exists.
On 2018-05-31 11:48, Paul Moore wrote:
> On Thu, May 31, 2018 at 11:13 AM, Richard Guy Briggs wrote:
> > Most uses of audit_enabled don't care about the distinction between
> > AUDIT_ON and AUDIT_LOCKED, so using audit_enabled as a boolean makes
> > more sense and is easier to read. Most uses of a
On 2018-05-30 10:45, Ondrej Mosnacek wrote:
> This patch removes the restriction of the AUDIT_EXE field to only
> SYSCALL filter and teaches audit_filter to recognize this field.
>
> This makes it possible to write rule lists such as:
>
> auditctl -a exit,always [some general rule]
> # Fi
On Wed, May 30, 2018 at 8:46 PM, Lenny Bruzenak wrote:
> On 05/30/2018 06:54 PM, Paul Moore wrote:
>
> ...
>
>> Finally, since you probably haven't followed all of the discussion
>> around associating records into a single event, I wanted to give you
>> my side of the story (if you don't care, you
On Thu, May 31, 2018 at 11:13 AM, Richard Guy Briggs wrote:
> Most uses of audit_enabled don't care about the distinction between
> AUDIT_ON and AUDIT_LOCKED, so using audit_enabled as a boolean makes
> more sense and is easier to read. Most uses of audit_enabled treat it as
> a boolean, so switch
Most uses of audit_enabled don't care about the distinction between
AUDIT_ON and AUDIT_LOCKED, so using audit_enabled as a boolean makes
more sense and is easier to read. Most uses of audit_enabled treat it as
a boolean, so switch the remaining AUDIT_OFF usage to simply use
audit_enabled as a boole
The parameters passed to this logging function are all provided by
a privileged user and therefore we can call audit_log_string()
rather than audit_log_untrustedstring().
Signed-off-by: Stefan Berger
Suggested-by: Steve Grubb
Acked-by: Paul Moore
---
security/integrity/ima/ima_policy.c | 2 +-
Remove the usage of audit_log_string() and replace it with
audit_log_format().
Signed-off-by: Stefan Berger
Suggested-by: Steve Grubb
Reviewed-by: Mimi Zohar
Acked-by: Paul Moore
---
security/integrity/ima/ima_policy.c | 3 +--
security/integrity/integrity_audit.c | 6 +-
2 files changed
The AUDIT_INTEGRITY_RULE is used for auditing IMA policy rules and
the IMA "audit" policy action. This patch defines
AUDIT_INTEGRITY_POLICY_RULE to reflect the IMA policy rules.
Since we defined a new message type we can now also call
audit_log_task_info() for task specific fields. This now produ
If Integrity is not auditing, IMA shouldn't audit, either.
Signed-off-by: Stefan Berger
---
security/integrity/ima/Kconfig | 1 +
security/integrity/ima/ima_policy.c | 6 +-
security/integrity/integrity.h | 15 +++
3 files changed, 21 insertions(+), 1 deletion(-)
dif
This series of patches cleans up some usages of the audit
subsystem's API by IMA. We also introduce a new record type
that IMA creates while parsing policy rules.
Stefan
v1->v2:
- dropped several patches that extended existing messages with missing
fields
- Using audit_log_task_info() for
On 2018-05-31 09:19, Ondrej Mosnacek wrote:
> The audit_filter_rules() function in auditsc.c used the in_[e]group_p()
> functions to check GID/EGID match, but these functions use the current
> task's credentials, while the comparison should use the credentials of
> the task given to audit_filter_ru
The audit_filter_rules() function in auditsc.c used the in_[e]group_p()
functions to check GID/EGID match, but these functions use the current
task's credentials, while the comparison should use the credentials of
the task given to audit_filter_rules() as a parameter (tsk).
Note that we can use gr
18 matches
Mail list logo
