linux-audit: reconstruct path names from syscall events?

[Steve Grubb]

On Friday, October 07, 2011 09:50:58 AM Eric Paris wrote:
> Audit logs based on name are wrong and misleading.  There's a reason the
> auditable object is the inode and fs details Casey mentioned.  We might
> be able to usually give me information, but that information cannot EVER
> be used for anything useful.  Its unreliable.  Exposing it only leads
> one to believe they have knowledge they don't.

But also depending on an inode leads you to have knowledge when you don't. Inodes get 
reassigned. Depending on when you look at your logs, that inode could have been used 
in 5 different file names between the event and now. So, it is important to snapshot 
what the inode was associated with at a given time.

My thinking is that we can make the system more useful even with name spaces. By 
recording the current association we are more certain about what was being accessed. 
We should be able to record the mount command that caused the new namespace so that we 
can reconstruct a meaningful path. Maybe we need to change the session id on that 
occurance so that child processes can be properly identified.

But you raise a new point that I think we eventally have to address and that is 
containers. I think we will have to record container IDs and the like so that an audit 
event can have a proper context for what it means. We at some point could have 
duplicate uids and pids that are disjointed - not just files.

We have to address this some time.

-Steve