From: Richard Guy Briggs <rgb@redhat.com>
To: Linux-Audit Mailing List <linux-audit@redhat.com>,
LKML <linux-kernel@vger.kernel.org>
Cc: Paul Moore <paul@paul-moore.com>, Eric Paris <eparis@redhat.com>,
Steve Grubb <sgrubb@redhat.com>,
Richard Guy Briggs <rgb@redhat.com>
Subject: [PATCH ghak8 ALT4 V4 0/3] audit: show more information for entries with anonymous parents
Date: Mon, 12 Feb 2018 00:02:20 -0500 [thread overview]
Message-ID: <cover.1518411444.git.rgb@redhat.com> (raw)
More than one filesystem was causing hundreds to thousands of null PATH
records to be associated with the *init_module SYSCALL records on a few
modules with corresponding audit syscall rules.
This patchset adds extra information to those PATH records to provide
insight into what is generating them, including a partial pathname,
fstype field, and two new filetypes that indicate the pathname isn't
anchored at the root of the task's root filesystem.
Richard Guy Briggs (3):
audit: show partial pathname for entries with anonymous parents
audit: append new fstype field for anonymous PATH records
audit: add new filetypes CREATE_ANON and PARENT_ANON
include/linux/audit.h | 10 ++++++----
kernel/audit.c | 41 ++++++++++++++++++++++++++++++++++++++++-
kernel/audit.h | 1 +
kernel/auditsc.c | 12 ++++++++++--
4 files changed, 57 insertions(+), 7 deletions(-)
--
1.8.3.1
next reply other threads:[~2018-02-12 5:02 UTC|newest]
Thread overview: 12+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-02-12 5:02 Richard Guy Briggs [this message]
2018-02-12 5:02 ` [PATCH ghak8 ALT4 V4 1/3] audit: show partial pathname for entries with anonymous parents Richard Guy Briggs
2018-02-15 23:07 ` Steve Grubb
2018-02-15 23:19 ` Richard Guy Briggs
2018-02-16 6:30 ` Richard Guy Briggs
2018-02-16 6:00 ` Richard Guy Briggs
2018-02-12 5:02 ` [PATCH ghak8 ALT4 V4 2/3] audit: append new fstype field for anonymous PATH records Richard Guy Briggs
2018-02-12 5:02 ` [PATCH ghak8 ALT4 V4 3/3] audit: add new filetypes CREATE_ANON and PARENT_ANON Richard Guy Briggs
2018-02-15 22:15 ` [PATCH ghak8 ALT4 V4 0/3] audit: show more information for entries with anonymous parents Paul Moore
2018-02-15 22:15 ` Paul Moore
2018-02-16 8:23 ` Richard Guy Briggs
2018-02-16 18:29 ` Paul Moore
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=cover.1518411444.git.rgb@redhat.com \
--to=rgb@redhat.com \
--cc=eparis@redhat.com \
--cc=linux-audit@redhat.com \
--cc=linux-kernel@vger.kernel.org \
--cc=paul@paul-moore.com \
--cc=sgrubb@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.