From: William Roberts <bill.c.roberts@gmail.com>
To: linux-audit@redhat.com
Cc: rgb@redhat.com
Subject: [PATCH v3.4] - audit cmdline on events
Date: Mon, 18 Nov 2013 16:41:18 -0800 [thread overview]
Message-ID: <1384821680-28829-1-git-send-email-wroberts@tresys.com> (raw)
Draft versions of some work I have been doing auditing the cmdline
value on events. The reason for this, is that I need to get the
package name in Android in the audit records. Often times, the app dies
before userspace would be able to get it from procfs.
I'll (attempt) to summarize the feedback so far.
* RGB - Can we make this dynamic?
** This was nak'd by Steve Grubb and subsequently dropped from these patches.
* Stephen Smalley - Can we cache this in audit struct for performance concerns?
** I think I address this in patch 2
* Steve Grubb - Is cmdline generic enough? Should we extend
prctl for an extended comm field?
** The heart of the matter is some spot the process can stick
more than 16 chars of data. I think this meets that, without
having to modify prctl.
* Steve Grubb - Can you use a user audit record?
** I can, but the downside is that it doesnt
keep the same id with the related issues, you
have to combine them by hand, by pid. Doesn't
seem like a generic solution.
Right now, the cache never gets invalidated, as their is no kernel
interface on which to invalidate the cache on. This would be one
win for adding to prctl.
Once we have a clear way forward on this, I can make the effort
to port to master.
[PATCH 1/2] audit: Allow auditing of proc/self/cmdline value
[PATCH 2/2] audit: Enable cacheing of cmdline in audit_context
next reply other threads:[~2013-11-19 0:41 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-11-19 0:41 William Roberts [this message]
2013-11-19 0:41 ` [PATCH 1/2] audit: Allow auditing of proc/self/cmdline value William Roberts
2013-11-19 14:11 ` Richard Guy Briggs
2013-11-19 0:41 ` [PATCH 2/2] audit: Enable cacheing of cmdline in audit_context William Roberts
2013-11-19 15:40 ` Richard Guy Briggs
2013-11-19 15:44 ` William Roberts
2013-11-19 16:00 ` Richard Guy Briggs
2013-11-19 16:25 ` William Roberts
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1384821680-28829-1-git-send-email-wroberts@tresys.com \
--to=bill.c.roberts@gmail.com \
--cc=linux-audit@redhat.com \
--cc=rgb@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox