[PATCH] audit: add task history record

Paul Moore paul at paul-moore.com
Thu Aug 24 17:02:28 UTC 2023 

On Thu, Aug 24, 2023 at 11:55 AM Steve Grubb <sgrubb at redhat.com> wrote:
> On Thursday, August 24, 2023 9:30:10 AM EDT Paul Moore wrote:
> > On Thu, Aug 24, 2023 at 9:21 AM Tetsuo Handa
> > <penguin-kernel at i-love.sakura.ne.jp> wrote:
> > > On 2023/08/23 23:48, Paul Moore wrote:
> > > > We've already discussed this both from a kernel load perspective (it
> > > > should be able to handle the load, if not that is a separate problem
> > > > to address) as well as the human perspective (if you want auditing,
> > > > you need to be able to handle auditing).
> > >
> > > No. You haven't shown us audit rules that can satisfy requirements shown
> > > below.>
> > >   (1) Catch _all_ process creations (both via fork()/clone() system calls
> > >   and kthread_create() from the kernel), and duplicate the history upon
> > >   process creation.
> >
> > Create an audit filter rule to record the syscalls you are interested
> > in logging.
> >
> > >   (2) Catch _all_ execve(), and update the history upon successful
> > >   execve().
> >
> > Create an audit filter rule to record the syscalls you are interested
> > in logging.
> >
> > >   (3) Catch _all_ process terminations (both exit()/exit_group()/kill()
> > >   system  calls and internal reasons such as OOM killer), and erase the
> > >   history upon process termination.
> >
> > Create an audit filter rule to record the events you are interested in
> > logging, if there is an event which isn't being recorded feel free to
> > submit a patch to generate an audit record.
>
> I'm not for or against this or a similar patch.

That was my impression based on your previous comments, my opinion
remains unchanged.

> The information Tetsuo is
> looking for cannot be recreated from logs. What if it were a daemon that's
> been running for a year? With the amount of data you are suggesting to log,
> it would have rotated away months ago.

Just because it requires configuration and/or a way of maintaining log
information over a period of time does not mean it "cannot" be done.
I also suspect that the number of well managed, and properly updated
systems that have uptimes over a year are increasingly rare.  Yes,
there are systems with uptimes much longer than that, but my argument
is that those systems are not likely as security focused as they may
claim.

> To log all of the system calls you
> mention would be abusive of the audit system, hurt performance, wear out SSD
> drives, and ultimately fail.

Thank you for your input.  It is clear that we have different opinions
on this matter.

> There may be other reasons you don't like the patch and that's fine. But
> saying it can be done from user space after the fact is not helpful.

Arguably your choice to reintroduce arguments you have previously
made, which I believe I've answered, is also not helpful, yet here we
are.

-- 
paul-moore.com

More information about the Linux-audit mailing list