Namespaces in event records

Namespaces in event records

[Ondrej Moris]

Hi, I am wondering if there is a way to get namespaces related to an 
audit event? There are obviously no namespace fields and I do not see 
them in the message as well. It might be important to audit a namespace 
of the process causing the event... or not?

-- 
Ondrej Moriš, RHCSA, RHCE, RHCSS, RHCVA
Quality Assurance Engineer
BaseOS QE - Security
Email: omoris@redhat.com
Web: www.cz.redhat.com
IRC: omoris at #qa #urt #brno, #penguins
Red Hat Czech s.r.o., Purkyňova 99/71, 612 45, Brno, Czech Republic

--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit

Re: Namespaces in event records

[Richard Guy Briggs]

On Tue, Dec 03, 2013 at 11:24:12AM +0100, Ondrej Moris wrote:
> Hi, I am wondering if there is a way to get namespaces related to an
> audit event? There are obviously no namespace fields and I do not
> see them in the message as well. It might be important to audit a
> namespace of the process causing the event... or not?

That does sound potentially useful.  I've been working on reducing some
of the restrictions caused by the introduciton of namespaces on audit,
in particular, dealing with net namespaces and pid namespaces.  I'm
still looking at user namespaces with caution.  I've not dealt with
mount, uts and ipc namespaces.

In particular to your concerns, I'd looked at how to identify namespaces
in debug or log output and hadn't yet come up with anything satisfying
yet.

> Ondrej Moriš, RHCSA, RHCE, RHCSS, RHCVA

- RGB

--
Richard Guy Briggs <rbriggs@redhat.com>
Senior Software Engineer, Kernel Security, AMER ENG Base Operating Systems, Red Hat
Remote, Ottawa, Canada
Voice: +1.647.777.2635, Internal: (81) 32635, Alt: +1.613.693.0684x3545

--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit