From: Steve Grubb <sgrubb@redhat.com>
To: Linux-Audit Mailing List <linux-audit@redhat.com>
Subject: Re: BPF audit logs
Date: Tue, 20 Dec 2022 18:16:45 -0500 [thread overview]
Message-ID: <5652312.DvuYhMxLoT@x2> (raw)
In-Reply-To: <df1eacecc605f856fa80d66d81eddea4dc70ce56.camel@iinet.net.au>
Hello Burn,
On Tuesday, December 20, 2022 5:36:28 PM EST Burn Alting wrote:
> I note that the unsolicited AUDIT_BPF audit event only provides a program
> id and operation (load or unload). For example, type=BPF
> msg=audit(21/12/22 09:03:35.765:439) : prog-id=75 op=LOAD or type=BPF
> msg=audit(21/12/22 09:04:05.883:460) : prog-id=0 op=UNLOAD
> I also note that the bpf auxillary structure (struct bpf_prog_aux) that
> holds the program id value, also holds a name (struct bpf_prog_aux->name)
> and uid (struct bpf_prog_aud->user_struct->uid). Perhaps adding these two
> items to the AUDIT_BPF event would provide more security context for this
> unsolicited event. Thoughts?
I agree that the resulting event leaves a lot to be desired. When the patch
was being merged, I think it was pointed out that all we have is a number.
The BPF folks seemed to insist that was all that was needed. They never
explained how to use that number for anything practical like knowing what was
loaded. If anything can be done to improve the situation, I'd like to
encourage a patch. Systemd triggers a bunch of these events. But what it's
doing is unknowable.
-Steve
--
Linux-audit mailing list
Linux-audit@redhat.com
https://listman.redhat.com/mailman/listinfo/linux-audit
next prev parent reply other threads:[~2022-12-20 23:16 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-12-20 22:36 BPF audit logs Burn Alting
2022-12-20 23:16 ` Steve Grubb [this message]
2022-12-21 0:01 ` Burn Alting
2022-12-21 14:44 ` Paul Moore
2022-12-21 14:54 ` Paul Moore
2022-12-21 21:02 ` Burn Alting
2022-12-21 23:40 ` Paul Moore
2022-12-21 23:49 ` Burn Alting
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=5652312.DvuYhMxLoT@x2 \
--to=sgrubb@redhat.com \
--cc=linux-audit@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.