[PATCH ghak95] audit: Do not log full CWD path on empty relative paths
Paul Moore
paul at paul-moore.com
Tue Nov 6 20:19:03 UTC 2018
On Tue, Nov 6, 2018 at 3:09 AM Ondrej Mosnacek <omosnace at redhat.com> wrote:
> On Tue, Nov 6, 2018 at 12:30 AM Paul Moore <paul at paul-moore.com> wrote:
> > Let's reset this discussion a bit ... if we abolish relative paths and
> > make everything absolute, is there even a need to log PARENT?
>
> If there ever was such need, then this won't change when we switch to
> absolute paths. The PATH records contain some fields (inode, dev, obj,
> ...) that can be different for the child and parent and I would say
> these are the only new information that the PARENT records provide
> over the corresponding CREATE/DELETE records.
Sigh. Of course the inode information is going to be different
between the object in question and the parent, they are different
filesystem objects. Ask your self the bigger question: does the
PARENT record provide me any security relevant information related to
the filesystem object that is being accessed?
With the messed up state of path name auditing, the PARENT records are
useful when trying to recreate the full path used by the process to
access a given filesystem object (transient as it may be, the path
name can still be useful after the fact). If we switch to always
recording absolute path names, why do we care about recording the
PARENT filesystem object at all (both the path and the inode
information)?
--
paul moore
www.paul-moore.com
More information about the Linux-audit
mailing list