From: Steve Grubb <sgrubb@redhat.com>
To: Paul Moore <pmoore@redhat.com>
Cc: Richard Guy Briggs <rgb@redhat.com>,
linux-audit@redhat.com, linux-kernel@vger.kernel.org
Subject: Re: [PATCH V9 3/3] audit: add audit by children of executable path
Date: Thu, 06 Aug 2015 17:08:14 -0400 [thread overview]
Message-ID: <18689423.1lXpkUPLpg@x2> (raw)
In-Reply-To: <5456503.IfTzUNfidJ@sifl>
On Thursday, August 06, 2015 04:24:58 PM Paul Moore wrote:
> On Wednesday, August 05, 2015 04:29:38 PM Richard Guy Briggs wrote:
> > This adds the ability to audit the actions of children of a
> > not-yet-running
> > process.
> >
> >
> >
> > This is a split-out of a heavily modified version of a patch originally
> > submitted by Eric Paris with some ideas from Peter Moody.
> >
> >
> >
> > Cc: Peter Moody <peter@hda3.com>
> > Cc: Eric Paris <eparis@redhat.com>
> > Signed-off-by: Richard Guy Briggs <rgb@redhat.com>
> > ---
> >
> > include/uapi/linux/audit.h | 1 +
> > kernel/auditfilter.c | 5 +++++
> > kernel/auditsc.c | 11 +++++++++++
> > 3 files changed, 17 insertions(+), 0 deletions(-)
>
> I'm still not really comfortable with that loop and since there hasn't been
> a really convincing use case I'm going to pass on this patch for right
> now. If someone comes up with a *really* compelling case in the future
> I'll reconsider it.
Its the same reason strace has a -f option. Sometimes you need to also see
what the children did. For example, maybe you want to audit file access to a
specific directory and several cgi-bin programs can get there. You could write
a rule for apache and be done. Or maybe, you have an app that lets people have
shell access and you need to see files accessed or connections opened. Or maybe
its a control panel application with helper scripts and you need to see
changes that its making. Or maybe you have a program that is at risk of being
compromised and you want to see if someone gets a shell from it. There are a
lot of cases where it could be useful.
-Steve
next prev parent reply other threads:[~2015-08-06 21:08 UTC|newest]
Thread overview: 16+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-08-05 20:29 [PATCH V9 0/3] audit by executable name Richard Guy Briggs
2015-08-05 20:29 ` [PATCH V9 1/3] audit: clean simple fsnotify implementation Richard Guy Briggs
2015-08-06 20:19 ` Paul Moore
2015-08-05 20:29 ` [PATCH V9 2/3] audit: implement audit by executable Richard Guy Briggs
2015-08-06 20:23 ` Paul Moore
2015-08-07 6:25 ` Richard Guy Briggs
2015-08-07 14:27 ` Paul Moore
2015-08-05 20:29 ` [PATCH V9 3/3] audit: add audit by children of executable path Richard Guy Briggs
2015-08-06 20:24 ` Paul Moore
2015-08-06 21:08 ` Steve Grubb [this message]
2015-08-07 0:07 ` Paul Moore
2015-08-07 6:37 ` Richard Guy Briggs
2015-08-07 14:30 ` Paul Moore
2015-08-07 16:03 ` Richard Guy Briggs
2015-08-07 20:47 ` Paul Moore
2015-08-08 5:07 ` Richard Guy Briggs
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=18689423.1lXpkUPLpg@x2 \
--to=sgrubb@redhat.com \
--cc=linux-audit@redhat.com \
--cc=linux-kernel@vger.kernel.org \
--cc=pmoore@redhat.com \
--cc=rgb@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).