On 2020-07-05 11:11, Paul Moore wrote:
> On Sat, Jun 27, 2020 at 9:23 AM Richard Guy Briggs wrote:
> > Require the target task to be a descendant of the container
> > orchestrator/engine.
> >
> > You would only change the audit container ID from one set or inherited
On 2020-07-05 11:09, Paul Moore wrote:
> On Sat, Jun 27, 2020 at 9:22 AM Richard Guy Briggs wrote:
> >
> > Implement the proc fs write to set the audit container identifier of a
> > process, emitting an AUDIT_CONTAINER_OP record to document the event.
> >
> > T
On 2020-07-05 11:10, Paul Moore wrote:
> On Sat, Jun 27, 2020 at 9:22 AM Richard Guy Briggs wrote:
> >
> > Create a new audit record AUDIT_CONTAINER_ID to document the audit
> > container identifier of a process if it is present.
> >
> > Called from audit
On 2020-07-05 11:10, Paul Moore wrote:
> On Sat, Jun 27, 2020 at 9:22 AM Richard Guy Briggs wrote:
> >
> > Add audit container identifier support to the action of signalling the
> > audit daemon.
> >
> > Since this would need to add an element to the audit_sig_i
On 2020-07-28 14:47, Paul Moore wrote:
> On Tue, Jul 28, 2020 at 12:27 PM Richard Guy Briggs wrote:
> > I know you like only really minimal fixes this late, but this seemed
> > pretty minimal to me...
>
> Minimal is a one (two?) line NULL check in audit_log_name(), this
&g
On 2020-07-27 22:14, Paul Moore wrote:
> On Mon, Jul 27, 2020 at 5:30 PM Richard Guy Briggs wrote:
> > Issue ghak120 enabled syscall records to accompany required records when
> > no rules are present to trigger the storage of syscall context. A
> > reported issu
patch, so add that case here.
Please see issue https://github.com/linux-audit/audit-kernel/issues/120
Please see issue https://github.com/linux-audit/audit-kernel/issues/96
Passes audit-testsuite.
Signed-off-by: Richard Guy Briggs
---
kernel/auditsc.c | 3 +++
security/lsm_audit.c | 1 +
2
On 2020-07-05 11:11, Paul Moore wrote:
> On Sat, Jun 27, 2020 at 9:23 AM Richard Guy Briggs wrote:
> >
> > This also adds support to qualify NETFILTER_PKT records.
> >
> > Audit events could happen in a network namespace outside of a task
> > context due
On 2020-07-05 11:11, Paul Moore wrote:
> On Sat, Jun 27, 2020 at 9:23 AM Richard Guy Briggs wrote:
> >
> > Add audit container identifier auxiliary record to user event standalone
> > records.
> >
> > Signed-off-by: Richard Guy Briggs
> > Acked-by: Neil H
On 2020-07-14 16:29, Paul Moore wrote:
> On Tue, Jul 14, 2020 at 1:44 PM Richard Guy Briggs wrote:
> > On 2020-07-14 12:21, Paul Moore wrote:
> > > On Mon, Jul 13, 2020 at 3:52 PM Richard Guy Briggs
> > > wrote:
> > > >
> > > > audit_log_st
On 2020-07-14 12:21, Paul Moore wrote:
> On Mon, Jul 13, 2020 at 3:52 PM Richard Guy Briggs wrote:
> >
> > audit_log_string() was inteded to be an internal audit function and
> > since there are only two internal uses, remove them. Purge all external
> > uses of it b
On 2020-07-07 21:42, Paul Moore wrote:
> On Mon, Jul 6, 2020 at 10:50 PM Richard Guy Briggs wrote:
> > On 2020-07-05 11:09, Paul Moore wrote:
> > > On Sat, Jun 27, 2020 at 9:21 AM Richard Guy Briggs
> > > wrote:
> > > >
> > > > The audit-rela
-audit/audit-kernel/issues/84
Signed-off-by: Richard Guy Briggs
---
Passes audit-testsuite.
Changelog:
v4
- use double quotes in all replaced audit_log_string() calls
v3
- fix two warning: non-void function does not return a value in all control
paths
Reported-by: kernel test robot
v2
On 2020-07-08 18:41, Paul Moore wrote:
> On Fri, Jul 3, 2020 at 5:50 PM Richard Guy Briggs wrote:
> >
> > audit_log_string() was inteded to be an internal audit function and
> > since there are only two internal uses, remove them. Purge all external
> > uses of it b
On 2020-07-05 11:09, Paul Moore wrote:
> On Sat, Jun 27, 2020 at 9:21 AM Richard Guy Briggs wrote:
> >
> > The audit-related parameters in struct task_struct should ideally be
> > collected together and accessed through a standard audit API.
> >
> > Collect
-audit/audit-kernel/issues/84
Signed-off-by: Richard Guy Briggs
---
Passes audit-testsuite.
Changelog:
v3
- fix two warning: non-void function does not return a value in all control
paths
Reported-by: kernel test robot
v2
- restructure to piggyback on existing audit_log_format() calls
-audit/audit-kernel/issues/84
Signed-off-by: Richard Guy Briggs
---
Passes audit-testsuite.
Changelog:
v2
- restructure to piggyback on existing audit_log_format() calls, checking
quoting needs for each.
v1 Vlad Dronov
-
https://github.com/nefigtut/audit-kernel/commit
tch.
Signed-off-by: Richard Guy Briggs
---
Passes audit-testsuite.
Changelog:
v3
- adapt and refactor__audit_getname, don't key on dummy
v2
2020-04-02 vdronov
https://www.redhat.com/archives/linux-audit/2020-April/msg4.html
- convert to standalone CWD record
v1:
2020-03-24 vdronov
ht
I checked all of these (I thought) thoroughly before I started changing
code and obviously didn't after. :-/
> https://lore.kernel.org/linux-audit/159378341669.5956.13490174029711421419.stgit@sifl
>
> paul moore
- RGB
--
Richard Guy Briggs
Sr. S/W Engineer, Kernel Security, Base Operating Syste
of audit_log_nfcfg() to accept a GFP parameter.
Reported-by: Dan Carptenter
Signed-off-by: Richard Guy Briggs
---
Passes audit-testsuite.
include/linux/audit.h | 8
kernel/auditsc.c| 4 ++--
net/bridge/netfilter/ebtables.c | 6 +++---
net/netfilter
Now that the kernel is able to track container nesting ("audit: track
container nesting"), convert the ausearch internals to parse and track
the compound list of contids stored in their native u64 format for
faster and more efficient processing.
Signed-off-by: Richard Guy Briggs
Signed-off-by: Richard Guy Briggs
---
src/auditd-event.c| 20 +++-
src/auditd-reconfig.c | 2 --
2 files changed, 15 insertions(+), 7 deletions(-)
diff --git a/src/auditd-event.c b/src/auditd-event.c
index e6b2a961f02b..800f4d83bc83 100644
--- a/src/auditd-event.c
+++ b/src
;
uint64_tcid;
charctx[];
};
Signed-off-by: Richard Guy Briggs
---
auparse/auditd-config.c | 1 +
docs/audit_request_signal_info.3 | 15 ++-
lib/libaudit.c | 56 ++--
lib/libaudit.h | 16
:18.746:1690) :
contid=777,666,333
Signed-off-by: Richard Guy Briggs
---
src/ausearch-report.c | 6 --
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/src/ausearch-report.c b/src/ausearch-report.c
index 416c2b13fa6a..754b28af2cb6 100644
--- a/src/ausearch-report.c
+++ b/src
See: https://github.com/linux-audit/audit-kernel/wiki/RFE-Audit-Container-ID
Add the audit_get_capcontid() and audit_set_capcontid() calls analogous
to CAP_AUDIT_CONTROL for descendant user namespaces.
Signed-off-by: Richard Guy Briggs
---
auparse/normalize.c| 1 +
auparse
Add the audit_get_containerid() call analogous to audit_getloginuid()
and audit_get_session() calls to get our own audit container identifier.
This is intended as a debug patch, not to be upstreamed.
Signed-off-by: Richard Guy Briggs
---
docs/Makefile.am | 2 +-
docs
/90
See: https://github.com/linux-audit/audit-testsuite/issues/64
See: https://github.com/linux-audit/audit-kernel/wiki/RFE-Audit-Container-ID
Signed-off-by: Richard Guy Briggs
---
lib/libaudit.h| 4
lib/msg_typetab.h | 1 +
2 files changed, 5 insertions(+)
diff --git a/lib/libaudit.h b
, ausearch,
normalization
Richard Guy Briggs (11):
AUDIT_CONTAINER_OP message type basic support
AUDIT_CONTAINER_ID message type basic support
auditctl: add support for AUDIT_CONTID filter
add ausearch containerid support
start normalization containerid support
libaudit: add supp
Signed-off-by: Richard Guy Briggs
---
auparse/auparse-defs.h | 3 ++-
auparse/interpret.c | 10 ++
auparse/normalize_record_map.h | 2 ++
auparse/typetab.h| 2 ++
bindings/python/auparse_python.c | 1 +
5 files changed, 17 insertions(+), 1
tion.
See: https://github.com/linux-audit/audit-userspace/issues/40
See: https://github.com/linux-audit/audit-kernel/issues/91
See: https://github.com/linux-audit/audit-testsuite/issues/64
See: https://github.com/linux-audit/audit-kernel/wiki/RFE-Audit-Container-ID
Signed-off-by: Richard Guy Briggs
-audit/audit-userspace/issues/51
See: https://github.com/linux-audit/audit-kernel/issues/90
See: https://github.com/linux-audit/audit-testsuite/issues/64
See: https://github.com/linux-audit/audit-kernel/wiki/RFE-Audit-Container-ID
Signed-off-by: Richard Guy Briggs
---
lib/libaudit.h | 4
lib
Add support to ausearch for searching on the containerid field in
records.
Signed-off-by: Richard Guy Briggs
---
src/aureport-options.c | 1 +
src/ausearch-llist.c | 2 ++
src/ausearch-llist.h | 1 +
src/ausearch-match.c | 3 +++
src/ausearch-options.c | 48
for the feature overview:
https://github.com/linux-audit/audit-kernel/wiki/RFE-Audit-Container-ID
Signed-off-by: Richard Guy Briggs
Acked-by: Neil Horman
Reviewed-by: Ondrej Mosnacek
---
include/linux/audit.h| 20 ++
kernel/audit.c | 156
its parent on this process in order to be able to enable it
for another process. The target process must be a descendant of the
calling process.
Report this action in new message type AUDIT_SET_CAPCONTID 1022 with
fields opid= capcontid= old-capcontid=
Signed-off-by: Richard Guy Briggs
---
fs/p
inal field format was "contid=" for task-associated records
and "contid=[,[...]]" for network-namespace-associated
records. The new field format is
"contid=[,^[...]][,[...]]".
Signed-off-by: Richard Guy Briggs
---
include/linux/au
orchestrator as the one that set it so it is not
possible to change the contid of another orchestrator's container.
Since the task_is_descendant() function is used in YAMA and in audit,
remove the duplication and pull the function into kernel/core/sched.c
Signed-off-by: Richard Guy Briggs
https://github.com/linux-audit/audit-kernel/wiki/RFE-Audit-Container-ID
Signed-off-by: Richard Guy Briggs
Acked-by: Serge Hallyn
Acked-by: Steve Grubb
Acked-by: Neil Horman
Reviewed-by: Ondrej Mosnacek
---
include/linux/audit.h | 7 +++
include/uapi/linux/audit.h | 1 +
kerne
to reflect the new record request and reply type.
An older userspace won't break since it won't know to request this
record type.
Signed-off-by: Richard Guy Briggs
---
include/linux/audit.h | 8
include/uapi/linux/audit.h | 1 +
kernel/audit.c | 95
is discarded immediately after the local associated records are
produced.
Signed-off-by: Richard Guy Briggs
Acked-by: Serge Hallyn
Acked-by: Neil Horman
Reviewed-by: Ondrej Mosnacek
---
include/linux/audit.h | 8
kernel/audit.h| 1 +
kernel/auditsc.c | 33
Add audit container identifier auxiliary record to user event standalone
records.
Signed-off-by: Richard Guy Briggs
Acked-by: Neil Horman
Reviewed-by: Ondrej Mosnacek
---
kernel/audit.c | 19 ---
1 file changed, 12 insertions(+), 7 deletions(-)
diff --git a/kernel/audit.c b
audit testsuiite issue for the test case:
https://github.com/linux-audit/audit-testsuite/issues/64
Please see the github audit wiki for the feature overview:
https://github.com/linux-audit/audit-kernel/wiki/RFE-Audit-Container-ID
Signed-off-by: Richard Guy Briggs
Acked-by: Serge Hallyn
Acked
to contid
- convert initial container record to syscall aux
- fix spelling mistake of contidion in net/rfkill/core.c to avoid contid name
collision
v2
- add check for children and threads
- add network namespace container identifier list
- add NETFILTER_PKT audit container identifier logging
-
: 18446744073709551615).
This read requires CAP_AUDIT_CONTROL.
Signed-off-by: Richard Guy Briggs
Acked-by: Serge Hallyn
Acked-by: Neil Horman
Reviewed-by: Ondrej Mosnacek
---
fs/proc/base.c | 25 ++---
1 file changed, 22 insertions(+), 3 deletions(-)
diff --git a/fs/proc/base.c b/fs
to manage this pool of memory.
Un-inline audit_free() to be able to always recover that memory.
Please see the upstream github issue
https://github.com/linux-audit/audit-kernel/issues/81
Signed-off-by: Richard Guy Briggs
Acked-by: Neil Horman
Reviewed-by: Ondrej Mosnacek
---
include/linux/au
Since we are tracking the life of each audit container indentifier, we
can match the creation event with the destruction event. Log the
destruction of the audit container identifier when the last process in
that container exits.
Signed-off-by: Richard Guy Briggs
---
kernel/audit.c | 20
thub audit testsuiite issue for the test case:
https://github.com/linux-audit/audit-testsuite/issues/64
Please see the github audit wiki for the feature overview:
https://github.com/linux-audit/audit-kernel/wiki/RFE-Audit-Container-ID
Signed-off-by: Richard Guy Briggs
Acked-by: Serge Hally
On 2020-06-24 15:03, Pablo Neira Ayuso wrote:
> On Wed, Jun 24, 2020 at 08:34:23AM -0400, Richard Guy Briggs wrote:
> > On 2020-06-24 12:03, Pablo Neira Ayuso wrote:
> > > On Thu, Jun 04, 2020 at 09:20:49AM -0400, Richard Guy Briggs wrote:
> [...]
> > > > diff --gi
On 2020-06-24 12:03, Pablo Neira Ayuso wrote:
> On Thu, Jun 04, 2020 at 09:20:49AM -0400, Richard Guy Briggs wrote:
> > iptables, ip6tables, arptables and ebtables table registration,
> > replacement and unregistration configuration events are logged for the
> > native (legacy
On 2020-04-17 17:23, Eric W. Biederman wrote:
> Paul Moore writes:
>
> > On Thu, Apr 16, 2020 at 4:36 PM Eric W. Biederman
> > wrote:
> >> Paul Moore writes:
> >> > On Mon, Mar 30, 2020 at 1:49 PM Richard Guy Briggs
> >> > w
8.051937] audit: type=1804 audit(1591633422.365:8): pid=1 uid=0
> auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0
> op=measuring_keys cause=hashing_error errno=-22 comm="systemd"
> name=".builtin_trusted_keys" res=0
>
> thanks,
> -lakshmi
- RGB
--
Richard Guy Briggs
Sr. S/W Engineer, Kernel Security, Base Operating Systems
Remote, Ottawa, Red Hat Canada
IRC: rgb, SunRaycer
Voice: +1.647.777.2635, Internal: (81) 32635
audit(1591633422.377:9): pid=1 uid=0
> auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0
> op=measuring_kexec_cmdline cause=alloc_entry(-12) comm="systemd"
> name="kexec-cmdline" res=0
>
> Signed-off-by: Lakshmi Ramasubramanian
Reviewed-b
On 2020-04-22 13:24, Paul Moore wrote:
> On Fri, Apr 17, 2020 at 6:26 PM Eric W. Biederman
> wrote:
> > Paul Moore writes:
> > > On Thu, Apr 16, 2020 at 4:36 PM Eric W. Biederman
> > > wrote:
> > >> Paul Moore writes:
> > >>
On 2020-06-04 13:03, Steve Grubb wrote:
> On Thursday, June 4, 2020 9:20:49 AM EDT Richard Guy Briggs wrote:
> > iptables, ip6tables, arptables and ebtables table registration,
> > replacement and unregistration configuration events are logged for the
> > native (legacy) ip
(2020-05-28 17:46:41.911:163) :
table=firewalld:1;__set0:87 family=inet entries=0 op=nft_register_set pid=396
subj=system_u:system_r:firewalld_t:s0 comm=firewalld
For further information please see issue
https://github.com/linux-audit/audit-kernel/issues/124
Signed-off-by: Richard Guy Briggs
On 2020-06-01 20:12, Paul Moore wrote:
> On Mon, Jun 1, 2020 at 6:58 PM Richard Guy Briggs wrote:
> > On 2020-06-01 12:10, Paul Moore wrote:
> > > On Thu, May 28, 2020 at 9:44 PM Richard Guy Briggs
> > > wrote:
>
> ...
>
> > > > diff --gi
On 2020-06-01 12:10, Paul Moore wrote:
> On Thu, May 28, 2020 at 9:44 PM Richard Guy Briggs wrote:
> > iptables, ip6tables, arptables and ebtables table registration,
> > replacement and unregistration configuration events are logged for the
> > native (legacy) ip
(2020-05-28 17:46:41.911:163) :
table=firewalld:1;__set0:87 family=inet entries=0 op=nft_register_set pid=396
subj=system_u:system_r:firewalld_t:s0 comm=firewalld
For further information please see issue
https://github.com/linux-audit/audit-kernel/issues/124
Signed-off-by: Richard Guy Briggs
On 2020-05-27 16:53, Florian Westphal wrote:
> Richard Guy Briggs wrote:
> > iptables, ip6tables, arptables and ebtables table registration,
> > replacement and unregistration configuration events are logged for the
> > native (legacy) iptables setsockopt api, but not for the
calls to log the configuration actions in the nftables netlink api.
This uses the same NETFILTER_CFG record format.
For further information please see issue
https://github.com/linux-audit/audit-kernel/issues/124
Signed-off-by: Richard Guy Briggs
---
This is an RFC patch.
Note: I have questions
ppreciate if someone reviewed them.
I asked on April 3 which upstream tree you expect this patchset to go
through and I did not see a reply. Do you have a specific target or is
the large addressee list assuming someone else is taking this set? All
we have seen is that it is not intended to go through
On 2020-05-20 14:59, Richard Guy Briggs wrote:
> On 2020-05-20 14:51, Steve Grubb wrote:
> > On Wednesday, May 20, 2020 2:40:45 PM EDT Paul Moore wrote:
> > > On Wed, May 20, 2020 at 12:55 PM Richard Guy Briggs
> > > wrote:
> > > > On 2020-05-20 12:51, R
On 2020-05-20 14:51, Steve Grubb wrote:
> On Wednesday, May 20, 2020 2:40:45 PM EDT Paul Moore wrote:
> > On Wed, May 20, 2020 at 12:55 PM Richard Guy Briggs wrote:
> > > On 2020-05-20 12:51, Richard Guy Briggs wrote:
> > > > Some table unregister actions seem
=kernel comm=swapper/0
type=NETFILTER_CFG msg=audit(2020-05-20 12:15:27.701:301) : table=nat
family=bridge entries=0 op=unregister pid=30 subj=system_u:system_r:kernel_t:s0
comm=kworker/u4:1
Signed-off-by: Richard Guy Briggs
---
Changelog:
v6
- remove uid, auid fields as duplicates or unset
On 2020-05-20 12:51, Richard Guy Briggs wrote:
> Some table unregister actions seem to be initiated by the kernel to
> garbage collect unused tables that are not initiated by any userspace
> actions. It was found to be necessary to add the subject credentials to
> cover this ca
=kworker/u4:2
Signed-off-by: Richard Guy Briggs
---
Changelog:
v6
- remove uid, auid fields as duplicates or unset
v5
- rebase on upstreamed ghak28 on audit/next v5.7-rc1
- remove tty, ses and exe fields as duplicates or unset
- drop upstreamed patches 1&2 from set
v4
- rebase on audit/next
On 2020-05-19 15:18, Paul Moore wrote:
> On Tue, May 19, 2020 at 11:31 AM Richard Guy Briggs wrote:
> > Some table unregister actions seem to be initiated by the kernel to
> > garbage collect unused tables that are not initiated by any userspace
> > actions. It was found t
=system_u:system_r:kernel_t:s0 comm=kworker/u4:2
Signed-off-by: Richard Guy Briggs
---
Changelog:
v5
- rebase on upstreamed ghak28 on audit/next v5.7-rc1
- remove tty, ses and exe fields as duplicates or unset
- drop upstreamed patches 1&2 from set
v4
- rebase on audit/next v5.7-rc1
- fix checkpatch.pl errors/warnings
On 2020-05-17 17:50, Paul Moore wrote:
> On Sun, May 17, 2020 at 10:15 AM Richard Guy Briggs wrote:
> > On 2020-04-28 18:25, Paul Moore wrote:
> > > On Wed, Apr 22, 2020 at 5:40 PM Richard Guy Briggs
> > > wrote:
> > > > Some table unregister act
On 2020-04-28 18:25, Paul Moore wrote:
> On Wed, Apr 22, 2020 at 5:40 PM Richard Guy Briggs wrote:
> > Some table unregister actions seem to be initiated by the kernel to
> > garbage collect unused tables that are not initiated by any userspace
> > actions. It was found t
On 2020-05-07 17:49, Gustavo A. R. Silva wrote:
> On Thu, May 07, 2020 at 05:58:13PM -0400, Richard Guy Briggs wrote:
> > On 2020-05-07 13:50, Gustavo A. R. Silva wrote:
> > > The current codebase makes use of the zero-length array language
> > > extension to the C90
/uapi/linux/audit.h
in struct audit_rule_data buf[0]. This alert also helped me fix another
one in a patchset I'm about to post (and will probably cause a merge
conflict but we can figure that out).
Reviewed-by: Richard Guy Briggs
> ---
> include/linux/audit.h |2 +-
> 1 file changed
On 2020-05-06 17:26, Steve Grubb wrote:
> On Wednesday, April 29, 2020 5:32:47 PM EDT Richard Guy Briggs wrote:
> > On 2020-04-29 14:47, Steve Grubb wrote:
> > > On Wednesday, April 29, 2020 10:31:46 AM EDT Richard Guy Briggs wrote:
> > > > On 2020-04-28 18:25, Paul
On 2020-04-29 14:47, Steve Grubb wrote:
> On Wednesday, April 29, 2020 10:31:46 AM EDT Richard Guy Briggs wrote:
> > On 2020-04-28 18:25, Paul Moore wrote:
> > > On Wed, Apr 22, 2020 at 5:40 PM Richard Guy Briggs
> wrote:
> > > > Some table unregister actions s
On 2020-04-28 18:25, Paul Moore wrote:
> On Wed, Apr 22, 2020 at 5:40 PM Richard Guy Briggs wrote:
> > Some table unregister actions seem to be initiated by the kernel to
> > garbage collect unused tables that are not initiated by any userspace
> > actions. It was found t
Set an arbitrary limit on the number of audit container identifiers to
limit abuse.
Signed-off-by: Richard Guy Briggs
---
kernel/audit.c | 8
kernel/audit.h | 4
2 files changed, 12 insertions(+)
diff --git a/kernel/audit.c b/kernel/audit.c
index 53d13d638c63..329916534dd2 100644
to manage this pool of memory.
Un-inline audit_free() to be able to always recover that memory.
Please see the upstream github issue
https://github.com/linux-audit/audit-kernel/issues/81
Signed-off-by: Richard Guy Briggs
Acked-by: Neil Horman
Reviewed-by: Ondrej Mosnacek
---
include/linux/au
allow an orchestrator to inject a process into an existing
container by checking if the original container owner is the one
injecting the task. A hash table list is used to optimize searches.
Signed-off-by: Richard Guy Briggs
---
include/linux/audit.h | 26 ++--
kernel/audit.c
: 18446744073709551615).
This read requires CAP_AUDIT_CONTROL.
Signed-off-by: Richard Guy Briggs
Acked-by: Serge Hallyn
Acked-by: Neil Horman
Reviewed-by: Ondrej Mosnacek
---
fs/proc/base.c | 25 ++---
1 file changed, 22 insertions(+), 3 deletions(-)
diff --git a/fs/proc/base.c b/fs
ldren and threads
- add network namespace container identifier list
- add NETFILTER_PKT audit container identifier logging
- patch description and documentation clean-up and example
- reap unused ppid
Richard Guy Briggs (21):
audit: collect audit task parameters
audit: add container id
audit: read contain
On 2019-07-16 19:30, Paul Moore wrote:
> On Tue, Jul 16, 2019 at 6:03 PM Richard Guy Briggs wrote:
> > On 2019-07-15 17:04, Paul Moore wrote:
> > > On Mon, Jul 8, 2019 at 2:06 PM Richard Guy Briggs wrote:
>
> ...
>
> > > > If we can't tru
On 2019-05-29 18:17, Paul Moore wrote:
> On Mon, Apr 8, 2019 at 11:41 PM Richard Guy Briggs wrote:
> >
> > Audit events could happen in a network namespace outside of a task
> > context due to packets received from the net that trigger an auditing
> > rule prior to bein
n
> > wrote:
> > > > > On Mon, Apr 08, 2019 at 11:39:07PM -0400, Richard Guy Briggs wrote:
> > > > > > Implement kernel audit container identifier.
> > > > >
> > > > > I'm sorry, I've lost track of this, where have we landed on it
function audit_signal_info_syscall() to take care of the
syscall dependent parts for when syscall auditing is enabled.
Please see the github kernel audit issue
https://github.com/linux-audit/audit-kernel/issues/111
Signed-off-by: Richard Guy Briggs
---
Changelog:
v2:
- change patch title to avoid
Add audit container identifier auxiliary record(s) to NETFILTER_PKT
event standalone records. Iterate through all potential audit container
identifiers associated with a network namespace.
Signed-off-by: Richard Guy Briggs
Acked-by: Neil Horman
Reviewed-by: Ondrej Mosnacek
---
include/linux
On 2019-04-02 07:31, Neil Horman wrote:
> On Mon, Apr 01, 2019 at 10:50:03AM -0400, Paul Moore wrote:
> > On Fri, Mar 15, 2019 at 2:35 PM Richard Guy Briggs wrote:
> > > Audit events could happen in a network namespace outside of a task
> > > context due to pa
On 2019-03-18 14:48, Neil Horman wrote:
> On Mon, Mar 18, 2019 at 02:17:21PM -0400, Richard Guy Briggs wrote:
> > On 2019-03-18 07:10, Neil Horman wrote:
> > > On Fri, Mar 15, 2019 at 02:29:51PM -0400, Richard Guy Briggs wrote:
> > > > Add support for reading the a
nux-audit/audit-kernel/wiki/RFE-More-detailed-auditing-of-changes-to-system-clock
>
> Testing: Passed audit-testuite; functional tests TBD
Reviewed-by: Richard Guy Briggs
How do you plan to test this in the audit-testsuite?
> Changes in v6:
> - Reorganized the patches to group changes
it is only used by syscall auditing.
See github issue https://github.com/linux-audit/audit-kernel/issues/105
Signed-off-by: Richard Guy Briggs
---
Tested with CONFIG_AUDITSYSCALL automatically set "y" and manually set
"n". Passes all audit-testsuite with the former and the expect
On 2019-02-01 16:57, Richard Guy Briggs wrote:
> On 2019-02-01 16:05, Paul Moore wrote:
> > On Fri, Feb 1, 2019 at 3:42 PM Nathan Chancellor
> > wrote:
> > > On Wed, Jan 23, 2019 at 01:35:00PM -0500, Richard Guy Briggs wrote:
> > > > Don't fetch fcaps when
On 2019-02-01 17:24, Paul Moore wrote:
> On Thu, Jan 31, 2019 at 10:53 PM Paul Moore wrote:
> > On Tue, Jan 29, 2019 at 9:54 PM Richard Guy Briggs wrote:
> > > On 2019-01-29 18:26, Paul Moore wrote:
> > > > On Tue, Jan 29, 2019 at 6:18 PM Richard Guy Briggs
>
On 2019-02-01 16:05, Paul Moore wrote:
> On Fri, Feb 1, 2019 at 3:42 PM Nathan Chancellor
> wrote:
> > On Wed, Jan 23, 2019 at 01:35:00PM -0500, Richard Guy Briggs wrote:
> > > Don't fetch fcaps when umount2 is called to avoid a process hang while
> > > it
On 2019-01-31 23:15, Paul Moore wrote:
> On Thu, Jan 31, 2019 at 11:52 AM Richard Guy Briggs wrote:
> >
> > The audit_rule_match() struct audit_context *actx parameter is not used
> > by any in-tree consumers (selinux, apparmour, integrity, smack).
> >
> > The a
Audit: Introduce > generic
Audit LSM hooks") but appears to have never been used.
Remove it.
Please see the github issue
https://github.com/linux-audit/audit-kernel/issues/107
Signed-off-by: Richard Guy Briggs
---
Passes audit-testsuite.
include/linux/lsm_hooks.h | 4 +---
--
Richard Guy Briggs
Sr. S/W Engineer, Kernel Security, Base Operating Systems
Remote, Ottawa, Red Hat Canada
IRC: rgb, SunRaycer
Voice: +1.647.777.2635, Internal: (81) 32635
On 2019-01-29 18:26, Paul Moore wrote:
> On Tue, Jan 29, 2019 at 6:18 PM Richard Guy Briggs wrote:
> > On 2019-01-29 18:07, Paul Moore wrote:
> > > On Mon, Jan 28, 2019 at 1:33 PM Richard Guy Briggs
> > > wrote:
> > > > Remove audit_context from str
On 2019-01-29 18:07, Paul Moore wrote:
> On Mon, Jan 28, 2019 at 1:33 PM Richard Guy Briggs wrote:
> > Remove audit_context from struct task_struct and struct audit_buffer
> > when CONFIG_AUDIT is enabled but CONFIG_AUDITSYSCALL is not.
> >
> > Also, audit_log_n
tirely.
> > > >
> > > > If you wanted to put together a patch that added a single "-a
> > > > never,task" rule on boot I could get behind that, just make it
> > > > default to off.
> > >
> > > That will make processes unaudi
it is only used by syscall auditing.
See github issue https://github.com/linux-audit/audit-kernel/issues/105
Signed-off-by: Richard Guy Briggs
---
Changelog:
v2:
- resolve merge conflicts from rebase on upstreamed ghak103 patch
- wrap task_struct audit_context in CONFIG_AUDITSYSCALL
include/linux
On 2019-01-25 16:45, Paul Moore wrote:
> On Wed, Jan 23, 2019 at 1:35 PM Richard Guy Briggs wrote:
> > Don't fetch fcaps when umount2 is called to avoid a process hang while
> > it waits for the missing resource to (possibly never) re-appear.
> >
> > Note the comment ab
On 2019-01-22 17:07, Richard Guy Briggs wrote:
> Remove audit_context from struct task_struct and struct audit_buffer
> when CONFIG_AUDIT is enabled but CONFIG_AUDITSYSCALL is not.
>
> Also, audit_log_name() (and supporting inode and fcaps functions) should
> have been put back in
101 - 200 of 2017 matches
Mail list logo
