[PATCH V4 0/4] audit by executable name
Steve Grubb
sgrubb at redhat.com
Tue Sep 23 22:11:36 UTC 2014
On Tuesday, September 23, 2014 12:32:33 AM Richard Guy Briggs wrote:
> On 14/09/08, Eric Paris wrote:
> > On Mon, 2014-09-08 at 14:53 -0400, Steve Grubb wrote:
> > > On Sunday, August 24, 2014 06:34:04 PM Richard Guy Briggs wrote:
> > > > This is a part of Peter Moody, my and Eric Paris' work to implement
> > > > audit by executable name.
> > >
> > > So, what's the status on this? Is it scheduled for the next upstream
> > > kernel? This is a feature that's been missing for a long time. Many
> > > people will find this useful.
> > >
> > > Also, has anyone beside Richard been testing this?
> >
> > I tested it when I wrote it. But don't know about this patch series.
> > Is that worth anything? :)
>
> Do you still have the test procedure and the results?
The way that we tested other features being added to the kernel was to set up
looping shell script that stress the system. Some thing similar for this
addition would:
add the rule, sleep, delete the rule
list the rule, sleep, list the rules, list the rules
start the app, sleep, term the app
All 3 scripts would loop over and over for hours simultaneously. The idea is
to provoke a race between inserting/deleting/listing rules and actually
recording an event. You are looking for an oops, livelock, deadlock, or some
other noticeable problem. I think Al would let something like this run over
night before trusting it. The idea is to provoke problems that would affect
normal operation.
-Steve
More information about the Linux-audit
mailing list