[RFC PATCH ghak9 1/3] audit: Add AUDIT_FD_PATH auxiliary record type
Ondrej Mosnacek
omosnace at redhat.com
Mon Jul 16 08:19:02 UTC 2018
On Fri, Jul 13, 2018 at 4:53 PM Richard Guy Briggs <rgb at redhat.com> wrote:
> On 2018-07-12 13:36, Ondrej Mosnacek wrote:
> > This new record type is used to log the full path corresponding to some
> > important file descriptor used in a syscall.
> >
> > Signed-off-by: Ondrej Mosnacek <omosnace at redhat.com>
> > ---
> > include/uapi/linux/audit.h | 1 +
> > 1 file changed, 1 insertion(+)
> >
> > diff --git a/include/uapi/linux/audit.h b/include/uapi/linux/audit.h
> > index 4e3eaba84175..d60041ae34a8 100644
> > --- a/include/uapi/linux/audit.h
> > +++ b/include/uapi/linux/audit.h
> > @@ -114,6 +114,7 @@
> > #define AUDIT_REPLACE 1329 /* Replace auditd if this packet unanswerd */
> > #define AUDIT_KERN_MODULE 1330 /* Kernel Module events */
> > #define AUDIT_FANOTIFY 1331 /* Fanotify access decision */
> > +#define AUDIT_FD_PATH 1334 /* File descriptor path info */
>
> The final message type number depends on other work in flight which may
> or may not be accepted first, so don't count on this one being the
> final. Having said that, we usually use the next number in sequence
> unless there is a hard dependence on another patchset.
>
> This will be the maintainer's job to juggle all these when they are
> merged upstream. Unfortunately, that will make more work for the
> corresponding user library patches that help identify this record type.
Of course, I set it to a different number mainly for easier testing on
my side, I can set it to (previous+1) in the later "production-ready"
patchsets.
>
> > #define AUDIT_AVC 1400 /* SE Linux avc denial or grant */
> > #define AUDIT_SELINUX_ERR 1401 /* Internal SE Linux Errors */
>
> - RGB
>
> --
> Richard Guy Briggs <rgb at redhat.com>
> Sr. S/W Engineer, Kernel Security, Base Operating Systems
> Remote, Ottawa, Red Hat Canada
> IRC: rgb, SunRaycer
> Voice: +1.647.777.2635, Internal: (81) 32635
--
Ondrej Mosnacek <omosnace at redhat dot com>
Associate Software Engineer, Security Technologies
Red Hat, Inc.
More information about the Linux-audit
mailing list