From: Richard Guy Briggs <rgb@redhat.com>
To: Linux-Audit Mailing List <linux-audit@redhat.com>,
LKML <linux-kernel@vger.kernel.org>
Cc: Paul Moore <paul@paul-moore.com>, Eric Paris <eparis@redhat.com>,
Steve Grubb <sgrubb@redhat.com>,
Richard Guy Briggs <rgb@redhat.com>
Subject: [PATCH ghak8 ALT4 V4 0/3] audit: show more information for entries with anonymous parents
Date: Mon, 12 Feb 2018 00:02:20 -0500 [thread overview]
Message-ID: <cover.1518411444.git.rgb@redhat.com> (raw)
More than one filesystem was causing hundreds to thousands of null PATH
records to be associated with the *init_module SYSCALL records on a few
modules with corresponding audit syscall rules.
This patchset adds extra information to those PATH records to provide
insight into what is generating them, including a partial pathname,
fstype field, and two new filetypes that indicate the pathname isn't
anchored at the root of the task's root filesystem.
Richard Guy Briggs (3):
audit: show partial pathname for entries with anonymous parents
audit: append new fstype field for anonymous PATH records
audit: add new filetypes CREATE_ANON and PARENT_ANON
include/linux/audit.h | 10 ++++++----
kernel/audit.c | 41 ++++++++++++++++++++++++++++++++++++++++-
kernel/audit.h | 1 +
kernel/auditsc.c | 12 ++++++++++--
4 files changed, 57 insertions(+), 7 deletions(-)
--
1.8.3.1
next reply other threads:[~2018-02-12 5:06 UTC|newest]
Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-02-12 5:02 Richard Guy Briggs [this message]
2018-02-12 5:02 ` [PATCH ghak8 ALT4 V4 1/3] audit: show partial pathname for entries with anonymous parents Richard Guy Briggs
2018-02-15 23:07 ` Steve Grubb
2018-02-15 23:19 ` Richard Guy Briggs
2018-02-16 6:30 ` Richard Guy Briggs
2018-02-16 6:00 ` Richard Guy Briggs
2018-02-12 5:02 ` [PATCH ghak8 ALT4 V4 2/3] audit: append new fstype field for anonymous PATH records Richard Guy Briggs
2018-02-12 5:02 ` [PATCH ghak8 ALT4 V4 3/3] audit: add new filetypes CREATE_ANON and PARENT_ANON Richard Guy Briggs
2018-02-15 22:15 ` [PATCH ghak8 ALT4 V4 0/3] audit: show more information for entries with anonymous parents Paul Moore
2018-02-16 8:23 ` Richard Guy Briggs
2018-02-16 18:29 ` Paul Moore
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=cover.1518411444.git.rgb@redhat.com \
--to=rgb@redhat.com \
--cc=eparis@redhat.com \
--cc=linux-audit@redhat.com \
--cc=linux-kernel@vger.kernel.org \
--cc=paul@paul-moore.com \
--cc=sgrubb@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).