New field to auditd.conf file

New field to auditd.conf file

[Deepika Sundar]

[-- Attachment #1.1: Type: text/plain, Size: 67 bytes --]

Can it be possible to add new field to auditd.conf file?

-Deepika

[-- Attachment #1.2: Type: text/html, Size: 134 bytes --]

[-- Attachment #2: Type: text/plain, Size: 0 bytes --]

Re: New field to auditd.conf file

[Steve Grubb]

On Wednesday, April 06, 2016 05:06:08 PM Deepika Sundar wrote:
> Can it be possible to add new field to auditd.conf file?

That depends entirely on what functionality is being added and if its 
acceptable to people in general.

-Steve

Re: New field to auditd.conf file

[Deepika Sundar]

[-- Attachment #1.1: Type: text/plain, Size: 501 bytes --]

Ok.If i wanted to add the new field to experiment on the requirement, which
are the files(programs) that need changes or  to be updated to take effect
on new field in auditd.conf?

On Wed, Apr 6, 2016 at 5:20 PM, Steve Grubb <sgrubb@redhat.com> wrote:

> On Wednesday, April 06, 2016 05:06:08 PM Deepika Sundar wrote:
> > Can it be possible to add new field to auditd.conf file?
>
> That depends entirely on what functionality is being added and if its
> acceptable to people in general.
>
> -Steve
>

[-- Attachment #1.2: Type: text/html, Size: 884 bytes --]

[-- Attachment #2: Type: text/plain, Size: 0 bytes --]

Re: New field to auditd.conf file

[Steve Grubb]

On Wednesday, April 06, 2016 05:25:36 PM Deepika Sundar wrote:
> Ok.If i wanted to add the new field to experiment on the requirement, which
> are the files(programs) that need changes or  to be updated to take effect
> on new field in auditd.conf?

auditd-config.c


> On Wed, Apr 6, 2016 at 5:20 PM, Steve Grubb <sgrubb@redhat.com> wrote:
> > On Wednesday, April 06, 2016 05:06:08 PM Deepika Sundar wrote:
> > > Can it be possible to add new field to auditd.conf file?
> > 
> > That depends entirely on what functionality is being added and if its
> > acceptable to people in general.
> > 
> > -Steve

Re: New field to auditd.conf file

[Deepika Sundar]

[-- Attachment #1.1: Type: text/plain, Size: 990 bytes --]

In the same way, in the kernel side
Can I able to add one new field to the audit log structure without breaking
Compatibility?If so,
1.How can I add new field without breaking compatibility?
or
2. Is there any reserve field in audit log structure so that I can make use
of it?



On Wed, Apr 6, 2016 at 5:47 PM, Steve Grubb <sgrubb@redhat.com> wrote:

> On Wednesday, April 06, 2016 05:25:36 PM Deepika Sundar wrote:
> > Ok.If i wanted to add the new field to experiment on the requirement,
> which
> > are the files(programs) that need changes or  to be updated to take
> effect
> > on new field in auditd.conf?
>
> auditd-config.c
>
>
> > On Wed, Apr 6, 2016 at 5:20 PM, Steve Grubb <sgrubb@redhat.com> wrote:
> > > On Wednesday, April 06, 2016 05:06:08 PM Deepika Sundar wrote:
> > > > Can it be possible to add new field to auditd.conf file?
> > >
> > > That depends entirely on what functionality is being added and if its
> > > acceptable to people in general.
> > >
> > > -Steve
>
>

[-- Attachment #1.2: Type: text/html, Size: 1583 bytes --]

[-- Attachment #2: Type: text/plain, Size: 0 bytes --]

Re: New field to auditd.conf file

[Paul Moore]

On Thu, Apr 7, 2016 at 12:47 AM, Deepika Sundar
<sundar.deepika18@gmail.com> wrote:
> In the same way, in the kernel side
> Can I able to add one new field to the audit log structure without breaking
> Compatibility? If so,
>   1.How can I add new field without breaking compatibility?
>      or
>   2.Is there any reserve field in audit log structure so that I can make use
>     of it?

You need to be more specific about what you are trying to do.
Speaking generally, unless you work to get your changed merged into
the upstream kernel and userspace tools we cannot guarantee present or
future compatibility.

-- 
paul moore
www.paul-moore.com

Re: New field to auditd.conf file

[Deepika Sundar]

[-- Attachment #1.1: Type: text/plain, Size: 1143 bytes --]

As per my understanding audit log structure can be extendible based on
requirements and in my project I need to add the identifier field for the
application and as of now I couldn't able to revel the What application
trying to develop to update.So,Is there any possibility that without
breaking any Compatibility issues I can do it ? OR
If any compatibility issues please specify .

On Fri, Apr 8, 2016 at 12:12 AM, Paul Moore <paul@paul-moore.com> wrote:

> On Thu, Apr 7, 2016 at 12:47 AM, Deepika Sundar
> <sundar.deepika18@gmail.com> wrote:
> > In the same way, in the kernel side
> > Can I able to add one new field to the audit log structure without
> breaking
> > Compatibility? If so,
> >   1.How can I add new field without breaking compatibility?
> >      or
> >   2.Is there any reserve field in audit log structure so that I can make
> use
> >     of it?
>
> You need to be more specific about what you are trying to do.
> Speaking generally, unless you work to get your changed merged into
> the upstream kernel and userspace tools we cannot guarantee present or
> future compatibility.
>
> --
> paul moore
> www.paul-moore.com
>

[-- Attachment #1.2: Type: text/html, Size: 1762 bytes --]

[-- Attachment #2: Type: text/plain, Size: 0 bytes --]

Re: New field to auditd.conf file

[Steve Grubb]

On Wednesday, April 13, 2016 11:03:43 AM Deepika Sundar wrote:
> As per my understanding audit log structure can be extendible based on
> requirements and in my project I need to add the identifier field for the
> application and as of now I couldn't able to revel the What application
> trying to develop to update.So,Is there any possibility that without
> breaking any Compatibility issues I can do it ?

I have no idea what you are doing so there is no guarantee that it won't break 
something. If your project is going to be released as open source its 
generally best to collaborate with people so that problems can be pointed out. 
Otherwise you risk spending a lot of time on something only to have it 
rejected.

-Steve


> OR If any compatibility issues please specify .
> 
> On Fri, Apr 8, 2016 at 12:12 AM, Paul Moore <paul@paul-moore.com> wrote:
> > On Thu, Apr 7, 2016 at 12:47 AM, Deepika Sundar
> > 
> > <sundar.deepika18@gmail.com> wrote:
> > > In the same way, in the kernel side
> > > Can I able to add one new field to the audit log structure without
> > 
> > breaking
> > 
> > > Compatibility? If so,
> > > 
> > >   1.How can I add new field without breaking compatibility?
> > >   
> > >      or
> > >   
> > >   2.Is there any reserve field in audit log structure so that I can make
> > 
> > use
> > 
> > >     of it?
> > 
> > You need to be more specific about what you are trying to do.
> > Speaking generally, unless you work to get your changed merged into
> > the upstream kernel and userspace tools we cannot guarantee present or
> > future compatibility.
> > 
> > --
> > paul moore
> > www.paul-moore.com

Re: New field to auditd.conf file

[Deepika Sundar]

[-- Attachment #1.1: Type: text/plain, Size: 1877 bytes --]

In general way,Is there any compatibility issues if audit log structure
gets modified?

On Wed, Apr 13, 2016 at 6:01 PM, Steve Grubb <sgrubb@redhat.com> wrote:

> On Wednesday, April 13, 2016 11:03:43 AM Deepika Sundar wrote:
> > As per my understanding audit log structure can be extendible based on
> > requirements and in my project I need to add the identifier field for the
> > application and as of now I couldn't able to revel the What application
> > trying to develop to update.So,Is there any possibility that without
> > breaking any Compatibility issues I can do it ?
>
> I have no idea what you are doing so there is no guarantee that it won't
> break
> something. If your project is going to be released as open source its
> generally best to collaborate with people so that problems can be pointed
> out.
> Otherwise you risk spending a lot of time on something only to have it
> rejected.
>
> -Steve
>
>
> > OR If any compatibility issues please specify .
> >
> > On Fri, Apr 8, 2016 at 12:12 AM, Paul Moore <paul@paul-moore.com> wrote:
> > > On Thu, Apr 7, 2016 at 12:47 AM, Deepika Sundar
> > >
> > > <sundar.deepika18@gmail.com> wrote:
> > > > In the same way, in the kernel side
> > > > Can I able to add one new field to the audit log structure without
> > >
> > > breaking
> > >
> > > > Compatibility? If so,
> > > >
> > > >   1.How can I add new field without breaking compatibility?
> > > >
> > > >      or
> > > >
> > > >   2.Is there any reserve field in audit log structure so that I can
> make
> > >
> > > use
> > >
> > > >     of it?
> > >
> > > You need to be more specific about what you are trying to do.
> > > Speaking generally, unless you work to get your changed merged into
> > > the upstream kernel and userspace tools we cannot guarantee present or
> > > future compatibility.
> > >
> > > --
> > > paul moore
> > > www.paul-moore.com
>
>

[-- Attachment #1.2: Type: text/html, Size: 2851 bytes --]

[-- Attachment #2: Type: text/plain, Size: 0 bytes --]

Re: New field to auditd.conf file

[Steve Grubb]

On Wednesday, April 20, 2016 10:05:42 AM Deepika Sundar wrote:
> In general way,Is there any compatibility issues if audit log structure
> gets modified?

Yes, there can be problems if the log structure gets modified. Ausearch/report 
are highly optimized for an exact format.

-Steve


> On Wed, Apr 13, 2016 at 6:01 PM, Steve Grubb <sgrubb@redhat.com> wrote:
> > On Wednesday, April 13, 2016 11:03:43 AM Deepika Sundar wrote:
> > > As per my understanding audit log structure can be extendible based on
> > > requirements and in my project I need to add the identifier field for
> > > the
> > > application and as of now I couldn't able to revel the What application
> > > trying to develop to update.So,Is there any possibility that without
> > > breaking any Compatibility issues I can do it ?
> > 
> > I have no idea what you are doing so there is no guarantee that it won't
> > break
> > something. If your project is going to be released as open source its
> > generally best to collaborate with people so that problems can be pointed
> > out.
> > Otherwise you risk spending a lot of time on something only to have it
> > rejected.
> > 
> > -Steve
> > 
> > > OR If any compatibility issues please specify .
> > > 
> > > On Fri, Apr 8, 2016 at 12:12 AM, Paul Moore <paul@paul-moore.com> wrote:
> > > > On Thu, Apr 7, 2016 at 12:47 AM, Deepika Sundar
> > > > 
> > > > <sundar.deepika18@gmail.com> wrote:
> > > > > In the same way, in the kernel side
> > > > > Can I able to add one new field to the audit log structure without
> > > > 
> > > > breaking
> > > > 
> > > > > Compatibility? If so,
> > > > > 
> > > > >   1.How can I add new field without breaking compatibility?
> > > > >   
> > > > >      or
> > > > >   
> > > > >   2.Is there any reserve field in audit log structure so that I can
> > 
> > make
> > 
> > > > use
> > > > 
> > > > >     of it?
> > > > 
> > > > You need to be more specific about what you are trying to do.
> > > > Speaking generally, unless you work to get your changed merged into
> > > > the upstream kernel and userspace tools we cannot guarantee present or
> > > > future compatibility.
> > > > 
> > > > --
> > > > paul moore
> > > > www.paul-moore.com

Re: New field to auditd.conf file

[Deepika Sundar]

[-- Attachment #1.1: Type: text/plain, Size: 2515 bytes --]

Okay,If I update the Ausearch/aureport in order to aware of the new field
in the audit log structure can it be feasible one?

On Wed, Apr 20, 2016 at 6:00 PM, Steve Grubb <sgrubb@redhat.com> wrote:

> On Wednesday, April 20, 2016 10:05:42 AM Deepika Sundar wrote:
> > In general way,Is there any compatibility issues if audit log structure
> > gets modified?
>
> Yes, there can be problems if the log structure gets modified.
> Ausearch/report
> are highly optimized for an exact format.
>
> -Steve
>
>
> > On Wed, Apr 13, 2016 at 6:01 PM, Steve Grubb <sgrubb@redhat.com> wrote:
> > > On Wednesday, April 13, 2016 11:03:43 AM Deepika Sundar wrote:
> > > > As per my understanding audit log structure can be extendible based
> on
> > > > requirements and in my project I need to add the identifier field for
> > > > the
> > > > application and as of now I couldn't able to revel the What
> application
> > > > trying to develop to update.So,Is there any possibility that without
> > > > breaking any Compatibility issues I can do it ?
> > >
> > > I have no idea what you are doing so there is no guarantee that it
> won't
> > > break
> > > something. If your project is going to be released as open source its
> > > generally best to collaborate with people so that problems can be
> pointed
> > > out.
> > > Otherwise you risk spending a lot of time on something only to have it
> > > rejected.
> > >
> > > -Steve
> > >
> > > > OR If any compatibility issues please specify .
> > > >
> > > > On Fri, Apr 8, 2016 at 12:12 AM, Paul Moore <paul@paul-moore.com>
> wrote:
> > > > > On Thu, Apr 7, 2016 at 12:47 AM, Deepika Sundar
> > > > >
> > > > > <sundar.deepika18@gmail.com> wrote:
> > > > > > In the same way, in the kernel side
> > > > > > Can I able to add one new field to the audit log structure
> without
> > > > >
> > > > > breaking
> > > > >
> > > > > > Compatibility? If so,
> > > > > >
> > > > > >   1.How can I add new field without breaking compatibility?
> > > > > >
> > > > > >      or
> > > > > >
> > > > > >   2.Is there any reserve field in audit log structure so that I
> can
> > >
> > > make
> > >
> > > > > use
> > > > >
> > > > > >     of it?
> > > > >
> > > > > You need to be more specific about what you are trying to do.
> > > > > Speaking generally, unless you work to get your changed merged into
> > > > > the upstream kernel and userspace tools we cannot guarantee
> present or
> > > > > future compatibility.
> > > > >
> > > > > --
> > > > > paul moore
> > > > > www.paul-moore.com
>
>

[-- Attachment #1.2: Type: text/html, Size: 3879 bytes --]

[-- Attachment #2: Type: text/plain, Size: 0 bytes --]

Re: New field to auditd.conf file

[Paul Moore]

As we've already mentioned several times, we can make no guarantees
regarding functionality or compatibility without seeing your code.
While it may be frustrating, this is how Open Source development
works.

If you are interested in our help you will need to describe, in
detail, what you are trying to do and ideally post your existing code
so it can be reviewed.

On Thu, Apr 21, 2016 at 1:25 AM, Deepika Sundar
<sundar.deepika18@gmail.com> wrote:
> Okay,If I update the Ausearch/aureport in order to aware of the new field in
> the audit log structure can it be feasible one?
>
> On Wed, Apr 20, 2016 at 6:00 PM, Steve Grubb <sgrubb@redhat.com> wrote:
>>
>> On Wednesday, April 20, 2016 10:05:42 AM Deepika Sundar wrote:
>> > In general way,Is there any compatibility issues if audit log structure
>> > gets modified?
>>
>> Yes, there can be problems if the log structure gets modified.
>> Ausearch/report
>> are highly optimized for an exact format.
>>
>> -Steve
>>
>>
>> > On Wed, Apr 13, 2016 at 6:01 PM, Steve Grubb <sgrubb@redhat.com> wrote:
>> > > On Wednesday, April 13, 2016 11:03:43 AM Deepika Sundar wrote:
>> > > > As per my understanding audit log structure can be extendible based
>> > > > on
>> > > > requirements and in my project I need to add the identifier field
>> > > > for
>> > > > the
>> > > > application and as of now I couldn't able to revel the What
>> > > > application
>> > > > trying to develop to update.So,Is there any possibility that without
>> > > > breaking any Compatibility issues I can do it ?
>> > >
>> > > I have no idea what you are doing so there is no guarantee that it
>> > > won't
>> > > break
>> > > something. If your project is going to be released as open source its
>> > > generally best to collaborate with people so that problems can be
>> > > pointed
>> > > out.
>> > > Otherwise you risk spending a lot of time on something only to have it
>> > > rejected.
>> > >
>> > > -Steve
>> > >
>> > > > OR If any compatibility issues please specify .
>> > > >
>> > > > On Fri, Apr 8, 2016 at 12:12 AM, Paul Moore <paul@paul-moore.com>
>> > > > wrote:
>> > > > > On Thu, Apr 7, 2016 at 12:47 AM, Deepika Sundar
>> > > > >
>> > > > > <sundar.deepika18@gmail.com> wrote:
>> > > > > > In the same way, in the kernel side
>> > > > > > Can I able to add one new field to the audit log structure
>> > > > > > without
>> > > > >
>> > > > > breaking
>> > > > >
>> > > > > > Compatibility? If so,
>> > > > > >
>> > > > > >   1.How can I add new field without breaking compatibility?
>> > > > > >
>> > > > > >      or
>> > > > > >
>> > > > > >   2.Is there any reserve field in audit log structure so that I
>> > > > > > can
>> > >
>> > > make
>> > >
>> > > > > use
>> > > > >
>> > > > > >     of it?
>> > > > >
>> > > > > You need to be more specific about what you are trying to do.
>> > > > > Speaking generally, unless you work to get your changed merged
>> > > > > into
>> > > > > the upstream kernel and userspace tools we cannot guarantee
>> > > > > present or
>> > > > > future compatibility.
>> > > > >
>> > > > > --
>> > > > > paul moore
>> > > > > www.paul-moore.com
>>
>
>
> --
> Linux-audit mailing list
> Linux-audit@redhat.com
> https://www.redhat.com/mailman/listinfo/linux-audit



-- 
paul moore
security @ redhat

Re: New field to auditd.conf file

[Deepika Sundar]

[-- Attachment #1.1: Type: text/plain, Size: 3722 bytes --]

I wanted to add the namespace information in the audit record for example
pid_ns,user_ns,net_ns ,Is there any possibility to add this field inside
Audit structure?

On Thu, Apr 21, 2016 at 6:28 PM, Paul Moore <pmoore@redhat.com> wrote:

> As we've already mentioned several times, we can make no guarantees
> regarding functionality or compatibility without seeing your code.
> While it may be frustrating, this is how Open Source development
> works.
>
> If you are interested in our help you will need to describe, in
> detail, what you are trying to do and ideally post your existing code
> so it can be reviewed.
>
> On Thu, Apr 21, 2016 at 1:25 AM, Deepika Sundar
> <sundar.deepika18@gmail.com> wrote:
> > Okay,If I update the Ausearch/aureport in order to aware of the new
> field in
> > the audit log structure can it be feasible one?
> >
> > On Wed, Apr 20, 2016 at 6:00 PM, Steve Grubb <sgrubb@redhat.com> wrote:
> >>
> >> On Wednesday, April 20, 2016 10:05:42 AM Deepika Sundar wrote:
> >> > In general way,Is there any compatibility issues if audit log
> structure
> >> > gets modified?
> >>
> >> Yes, there can be problems if the log structure gets modified.
> >> Ausearch/report
> >> are highly optimized for an exact format.
> >>
> >> -Steve
> >>
> >>
> >> > On Wed, Apr 13, 2016 at 6:01 PM, Steve Grubb <sgrubb@redhat.com>
> wrote:
> >> > > On Wednesday, April 13, 2016 11:03:43 AM Deepika Sundar wrote:
> >> > > > As per my understanding audit log structure can be extendible
> based
> >> > > > on
> >> > > > requirements and in my project I need to add the identifier field
> >> > > > for
> >> > > > the
> >> > > > application and as of now I couldn't able to revel the What
> >> > > > application
> >> > > > trying to develop to update.So,Is there any possibility that
> without
> >> > > > breaking any Compatibility issues I can do it ?
> >> > >
> >> > > I have no idea what you are doing so there is no guarantee that it
> >> > > won't
> >> > > break
> >> > > something. If your project is going to be released as open source
> its
> >> > > generally best to collaborate with people so that problems can be
> >> > > pointed
> >> > > out.
> >> > > Otherwise you risk spending a lot of time on something only to have
> it
> >> > > rejected.
> >> > >
> >> > > -Steve
> >> > >
> >> > > > OR If any compatibility issues please specify .
> >> > > >
> >> > > > On Fri, Apr 8, 2016 at 12:12 AM, Paul Moore <paul@paul-moore.com>
> >> > > > wrote:
> >> > > > > On Thu, Apr 7, 2016 at 12:47 AM, Deepika Sundar
> >> > > > >
> >> > > > > <sundar.deepika18@gmail.com> wrote:
> >> > > > > > In the same way, in the kernel side
> >> > > > > > Can I able to add one new field to the audit log structure
> >> > > > > > without
> >> > > > >
> >> > > > > breaking
> >> > > > >
> >> > > > > > Compatibility? If so,
> >> > > > > >
> >> > > > > >   1.How can I add new field without breaking compatibility?
> >> > > > > >
> >> > > > > >      or
> >> > > > > >
> >> > > > > >   2.Is there any reserve field in audit log structure so that
> I
> >> > > > > > can
> >> > >
> >> > > make
> >> > >
> >> > > > > use
> >> > > > >
> >> > > > > >     of it?
> >> > > > >
> >> > > > > You need to be more specific about what you are trying to do.
> >> > > > > Speaking generally, unless you work to get your changed merged
> >> > > > > into
> >> > > > > the upstream kernel and userspace tools we cannot guarantee
> >> > > > > present or
> >> > > > > future compatibility.
> >> > > > >
> >> > > > > --
> >> > > > > paul moore
> >> > > > > www.paul-moore.com
> >>
> >
> >
> > --
> > Linux-audit mailing list
> > Linux-audit@redhat.com
> > https://www.redhat.com/mailman/listinfo/linux-audit
>
>
>
> --
> paul moore
> security @ redhat
>

[-- Attachment #1.2: Type: text/html, Size: 6011 bytes --]

[-- Attachment #2: Type: text/plain, Size: 0 bytes --]

Re: New field to auditd.conf file

[Richard Guy Briggs]

On 16/04/25, Deepika Sundar wrote:
> I wanted to add the namespace information in the audit record for example
> pid_ns,user_ns,net_ns ,Is there any possibility to add this field inside
> Audit structure?

We've been looking at this issue for several years now and don't have an
obvious solution yet.  There has been discussion on this list.  It is on
the radar:

	https://bugzilla.redhat.com/show_bug.cgi?id=1045666


> On Thu, Apr 21, 2016 at 6:28 PM, Paul Moore <pmoore@redhat.com> wrote:
> > As we've already mentioned several times, we can make no guarantees
> > regarding functionality or compatibility without seeing your code.
> > While it may be frustrating, this is how Open Source development
> > works.
> >
> > If you are interested in our help you will need to describe, in
> > detail, what you are trying to do and ideally post your existing code
> > so it can be reviewed.
> >
> > On Thu, Apr 21, 2016 at 1:25 AM, Deepika Sundar
> > <sundar.deepika18@gmail.com> wrote:
> > > Okay,If I update the Ausearch/aureport in order to aware of the new
> > field in
> > > the audit log structure can it be feasible one?
> > >
> > > On Wed, Apr 20, 2016 at 6:00 PM, Steve Grubb <sgrubb@redhat.com> wrote:
> > >>
> > >> On Wednesday, April 20, 2016 10:05:42 AM Deepika Sundar wrote:
> > >> > In general way,Is there any compatibility issues if audit log
> > structure
> > >> > gets modified?
> > >>
> > >> Yes, there can be problems if the log structure gets modified.
> > >> Ausearch/report
> > >> are highly optimized for an exact format.
> > >>
> > >> -Steve
> > >>
> > >>
> > >> > On Wed, Apr 13, 2016 at 6:01 PM, Steve Grubb <sgrubb@redhat.com>
> > wrote:
> > >> > > On Wednesday, April 13, 2016 11:03:43 AM Deepika Sundar wrote:
> > >> > > > As per my understanding audit log structure can be extendible
> > based
> > >> > > > on
> > >> > > > requirements and in my project I need to add the identifier field
> > >> > > > for
> > >> > > > the
> > >> > > > application and as of now I couldn't able to revel the What
> > >> > > > application
> > >> > > > trying to develop to update.So,Is there any possibility that
> > without
> > >> > > > breaking any Compatibility issues I can do it ?
> > >> > >
> > >> > > I have no idea what you are doing so there is no guarantee that it
> > >> > > won't
> > >> > > break
> > >> > > something. If your project is going to be released as open source
> > its
> > >> > > generally best to collaborate with people so that problems can be
> > >> > > pointed
> > >> > > out.
> > >> > > Otherwise you risk spending a lot of time on something only to have
> > it
> > >> > > rejected.
> > >> > >
> > >> > > -Steve
> > >> > >
> > >> > > > OR If any compatibility issues please specify .
> > >> > > >
> > >> > > > On Fri, Apr 8, 2016 at 12:12 AM, Paul Moore <paul@paul-moore.com>
> > >> > > > wrote:
> > >> > > > > On Thu, Apr 7, 2016 at 12:47 AM, Deepika Sundar
> > >> > > > >
> > >> > > > > <sundar.deepika18@gmail.com> wrote:
> > >> > > > > > In the same way, in the kernel side
> > >> > > > > > Can I able to add one new field to the audit log structure
> > >> > > > > > without
> > >> > > > >
> > >> > > > > breaking
> > >> > > > >
> > >> > > > > > Compatibility? If so,
> > >> > > > > >
> > >> > > > > >   1.How can I add new field without breaking compatibility?
> > >> > > > > >
> > >> > > > > >      or
> > >> > > > > >
> > >> > > > > >   2.Is there any reserve field in audit log structure so that
> > I
> > >> > > > > > can
> > >> > >
> > >> > > make
> > >> > >
> > >> > > > > use
> > >> > > > >
> > >> > > > > >     of it?
> > >> > > > >
> > >> > > > > You need to be more specific about what you are trying to do.
> > >> > > > > Speaking generally, unless you work to get your changed merged
> > >> > > > > into
> > >> > > > > the upstream kernel and userspace tools we cannot guarantee
> > >> > > > > present or
> > >> > > > > future compatibility.
> > >> > > > >
> > >> > > > > --
> > >> > > > > paul moore
> > >> > > > > www.paul-moore.com
> > >>
> > >
> > >
> > > --
> > > Linux-audit mailing list
> > > Linux-audit@redhat.com
> > > https://www.redhat.com/mailman/listinfo/linux-audit
> >
> >
> >
> > --
> > paul moore
> > security @ redhat
> >

> --
> Linux-audit mailing list
> Linux-audit@redhat.com
> https://www.redhat.com/mailman/listinfo/linux-audit


- RGB

--
Richard Guy Briggs <rgb@redhat.com>
Kernel Security Engineering, Base Operating Systems, Red Hat
Remote, Ottawa, Canada
Voice: +1.647.777.2635, Internal: (81) 32635

Re: New field to auditd.conf file

[Deepika Sundar]

[-- Attachment #1.1: Type: text/plain, Size: 13182 bytes --]

Thank you for all replies and Sorry, I am new to this audit subsystem field.

I am facing the problem in the initial stage itself that,Where to add the
new field in the source code, as per my work understanding in the below
code,Is it possible to fine tune by adding new field say,*"APPLICATION ID" *in
that structure.

If not possible, What is the impact ? *OR*
Is it possible to add a new member without any impact?
Please Suggest me with some IDEA where new field in audit structure can be
added and It should not break compatibility.Provide Documentation where I
can refer to do.
Once I am clear with the method I can Share the code to review.

 Kernel/audit.c

void audit_log_task_info
<http://lxr.free-electrons.com/ident?i=audit_log_task_info>(struct
audit_buffer <http://lxr.free-electrons.com/ident?i=audit_buffer> *ab,
struct task_struct <http://lxr.free-electrons.com/ident?i=task_struct>
*tsk <http://lxr.free-electrons.com/ident?i=tsk>)

1873 <http://lxr.free-electrons.com/source/kernel/audit.c#L1873> {1874
<http://lxr.free-electrons.com/source/kernel/audit.c#L1874>
const struct cred <http://lxr.free-electrons.com/ident?i=cred> *cred
<http://lxr.free-electrons.com/ident?i=cred>;1875
<http://lxr.free-electrons.com/source/kernel/audit.c#L1875>
char comm <http://lxr.free-electrons.com/ident?i=comm>[sizeof(tsk
<http://lxr.free-electrons.com/ident?i=tsk>->comm
<http://lxr.free-electrons.com/ident?i=comm>)];1876
<http://lxr.free-electrons.com/source/kernel/audit.c#L1876>
char *tty <http://lxr.free-electrons.com/ident?i=tty>;1877
<http://lxr.free-electrons.com/source/kernel/audit.c#L1877> 1878
<http://lxr.free-electrons.com/source/kernel/audit.c#L1878>         if
(!ab)1879 <http://lxr.free-electrons.com/source/kernel/audit.c#L1879>
               return;1880
<http://lxr.free-electrons.com/source/kernel/audit.c#L1880> 1881
<http://lxr.free-electrons.com/source/kernel/audit.c#L1881>
*/* tsk == current */*1882
<http://lxr.free-electrons.com/source/kernel/audit.c#L1882>
cred <http://lxr.free-electrons.com/ident?i=cred> = current_cred
<http://lxr.free-electrons.com/ident?i=current_cred>();1883
<http://lxr.free-electrons.com/source/kernel/audit.c#L1883> 1884
<http://lxr.free-electrons.com/source/kernel/audit.c#L1884>
spin_lock_irq <http://lxr.free-electrons.com/ident?i=spin_lock_irq>(&tsk
<http://lxr.free-electrons.com/ident?i=tsk>->sighand->siglock);1885
<http://lxr.free-electrons.com/source/kernel/audit.c#L1885>         if
(tsk <http://lxr.free-electrons.com/ident?i=tsk>->signal && tsk
<http://lxr.free-electrons.com/ident?i=tsk>->signal->tty
<http://lxr.free-electrons.com/ident?i=tty> && tsk
<http://lxr.free-electrons.com/ident?i=tsk>->signal->tty
<http://lxr.free-electrons.com/ident?i=tty>->name
<http://lxr.free-electrons.com/ident?i=name>)1886
<http://lxr.free-electrons.com/source/kernel/audit.c#L1886>
     tty <http://lxr.free-electrons.com/ident?i=tty> = tsk
<http://lxr.free-electrons.com/ident?i=tsk>->signal->tty
<http://lxr.free-electrons.com/ident?i=tty>->name
<http://lxr.free-electrons.com/ident?i=name>;1887
<http://lxr.free-electrons.com/source/kernel/audit.c#L1887>
else1888 <http://lxr.free-electrons.com/source/kernel/audit.c#L1888>
              tty <http://lxr.free-electrons.com/ident?i=tty> =
*"(none)"*;1889
<http://lxr.free-electrons.com/source/kernel/audit.c#L1889>
spin_unlock_irq
<http://lxr.free-electrons.com/ident?i=spin_unlock_irq>(&tsk
<http://lxr.free-electrons.com/ident?i=tsk>->sighand->siglock);1890
<http://lxr.free-electrons.com/source/kernel/audit.c#L1890> 1891
<http://lxr.free-electrons.com/source/kernel/audit.c#L1891>
audit_log_format
<http://lxr.free-electrons.com/ident?i=audit_log_format>(ab,1892
<http://lxr.free-electrons.com/source/kernel/audit.c#L1892>
              *" ppid=%d pid=%d auid=%u uid=%u gid=%u"*1893
<http://lxr.free-electrons.com/source/kernel/audit.c#L1893>
              *" euid=%u suid=%u fsuid=%u"*1894
<http://lxr.free-electrons.com/source/kernel/audit.c#L1894>
              *" egid=%u sgid=%u fsgid=%u tty=%s ses=%u"*,1895
<http://lxr.free-electrons.com/source/kernel/audit.c#L1895>
              task_ppid_nr
<http://lxr.free-electrons.com/ident?i=task_ppid_nr>(tsk
<http://lxr.free-electrons.com/ident?i=tsk>),1896
<http://lxr.free-electrons.com/source/kernel/audit.c#L1896>
              task_pid_nr
<http://lxr.free-electrons.com/ident?i=task_pid_nr>(tsk
<http://lxr.free-electrons.com/ident?i=tsk>),1897
<http://lxr.free-electrons.com/source/kernel/audit.c#L1897>
              from_kuid
<http://lxr.free-electrons.com/ident?i=from_kuid>(&init_user_ns
<http://lxr.free-electrons.com/ident?i=init_user_ns>,
audit_get_loginuid
<http://lxr.free-electrons.com/ident?i=audit_get_loginuid>(tsk
<http://lxr.free-electrons.com/ident?i=tsk>)),1898
<http://lxr.free-electrons.com/source/kernel/audit.c#L1898>
              from_kuid
<http://lxr.free-electrons.com/ident?i=from_kuid>(&init_user_ns
<http://lxr.free-electrons.com/ident?i=init_user_ns>, cred
<http://lxr.free-electrons.com/ident?i=cred>->uid
<http://lxr.free-electrons.com/ident?i=uid>),1899
<http://lxr.free-electrons.com/source/kernel/audit.c#L1899>
              from_kgid
<http://lxr.free-electrons.com/ident?i=from_kgid>(&init_user_ns
<http://lxr.free-electrons.com/ident?i=init_user_ns>, cred
<http://lxr.free-electrons.com/ident?i=cred>->gid
<http://lxr.free-electrons.com/ident?i=gid>),1900
<http://lxr.free-electrons.com/source/kernel/audit.c#L1900>
              from_kuid
<http://lxr.free-electrons.com/ident?i=from_kuid>(&init_user_ns
<http://lxr.free-electrons.com/ident?i=init_user_ns>, cred
<http://lxr.free-electrons.com/ident?i=cred>->euid),1901
<http://lxr.free-electrons.com/source/kernel/audit.c#L1901>
              from_kuid
<http://lxr.free-electrons.com/ident?i=from_kuid>(&init_user_ns
<http://lxr.free-electrons.com/ident?i=init_user_ns>, cred
<http://lxr.free-electrons.com/ident?i=cred>->suid),1902
<http://lxr.free-electrons.com/source/kernel/audit.c#L1902>
              from_kuid
<http://lxr.free-electrons.com/ident?i=from_kuid>(&init_user_ns
<http://lxr.free-electrons.com/ident?i=init_user_ns>, cred
<http://lxr.free-electrons.com/ident?i=cred>->fsuid),1903
<http://lxr.free-electrons.com/source/kernel/audit.c#L1903>
              from_kgid
<http://lxr.free-electrons.com/ident?i=from_kgid>(&init_user_ns
<http://lxr.free-electrons.com/ident?i=init_user_ns>, cred
<http://lxr.free-electrons.com/ident?i=cred>->egid),1904
<http://lxr.free-electrons.com/source/kernel/audit.c#L1904>
              from_kgid
<http://lxr.free-electrons.com/ident?i=from_kgid>(&init_user_ns
<http://lxr.free-electrons.com/ident?i=init_user_ns>, cred
<http://lxr.free-electrons.com/ident?i=cred>->sgid),1905
<http://lxr.free-electrons.com/source/kernel/audit.c#L1905>
              from_kgid
<http://lxr.free-electrons.com/ident?i=from_kgid>(&init_user_ns
<http://lxr.free-electrons.com/ident?i=init_user_ns>, cred
<http://lxr.free-electrons.com/ident?i=cred>->fsgid),1906
<http://lxr.free-electrons.com/source/kernel/audit.c#L1906>    +
               tty <http://lxr.free-electrons.com/ident?i=tty>,
audit_get_sessionid
<http://lxr.free-electrons.com/ident?i=audit_get_sessionid>(tsk
<http://lxr.free-electrons.com/ident?i=tsk>),*ApplicationID............);
*1907 <http://lxr.free-electrons.com/source/kernel/audit.c#L1907> 1908
<http://lxr.free-electrons.com/source/kernel/audit.c#L1908>
audit_log_format
<http://lxr.free-electrons.com/ident?i=audit_log_format>*(ab, **"
comm="**);
*1909 <http://lxr.free-electrons.com/source/kernel/audit.c#L1909>
   audit_log_untrustedstring
<http://lxr.free-electrons.com/ident?i=audit_log_untrustedstring>*(ab,
*get_task_comm <http://lxr.free-electrons.com/ident?i=get_task_comm>*(*comm
<http://lxr.free-electrons.com/ident?i=comm>*, *tsk
<http://lxr.free-electrons.com/ident?i=tsk>*));
*1910 <http://lxr.free-electrons.com/source/kernel/audit.c#L1910> 1911
<http://lxr.free-electrons.com/source/kernel/audit.c#L1911>
audit_log_d_path_exe
<http://lxr.free-electrons.com/ident?i=audit_log_d_path_exe>*(ab, *tsk
<http://lxr.free-electrons.com/ident?i=tsk>*->mm);
*1912 <http://lxr.free-electrons.com/source/kernel/audit.c#L1912>
   audit_log_task_context
<http://lxr.free-electrons.com/ident?i=audit_log_task_context>*(ab);
*1913 <http://lxr.free-electrons.com/source/kernel/audit.c#L1913>* }*





On Tue, Apr 26, 2016 at 6:07 AM, Richard Guy Briggs <rgb@redhat.com> wrote:

> On 16/04/25, Deepika Sundar wrote:
> > I wanted to add the namespace information in the audit record for example
> > pid_ns,user_ns,net_ns ,Is there any possibility to add this field inside
> > Audit structure?
>
> We've been looking at this issue for several years now and don't have an
> obvious solution yet.  There has been discussion on this list.  It is on
> the radar:
>
>         https://bugzilla.redhat.com/show_bug.cgi?id=1045666
>
>
> > On Thu, Apr 21, 2016 at 6:28 PM, Paul Moore <pmoore@redhat.com> wrote:
> > > As we've already mentioned several times, we can make no guarantees
> > > regarding functionality or compatibility without seeing your code.
> > > While it may be frustrating, this is how Open Source development
> > > works.
> > >
> > > If you are interested in our help you will need to describe, in
> > > detail, what you are trying to do and ideally post your existing code
> > > so it can be reviewed.
> > >
> > > On Thu, Apr 21, 2016 at 1:25 AM, Deepika Sundar
> > > <sundar.deepika18@gmail.com> wrote:
> > > > Okay,If I update the Ausearch/aureport in order to aware of the new
> > > field in
> > > > the audit log structure can it be feasible one?
> > > >
> > > > On Wed, Apr 20, 2016 at 6:00 PM, Steve Grubb <sgrubb@redhat.com>
> wrote:
> > > >>
> > > >> On Wednesday, April 20, 2016 10:05:42 AM Deepika Sundar wrote:
> > > >> > In general way,Is there any compatibility issues if audit log
> > > structure
> > > >> > gets modified?
> > > >>
> > > >> Yes, there can be problems if the log structure gets modified.
> > > >> Ausearch/report
> > > >> are highly optimized for an exact format.
> > > >>
> > > >> -Steve
> > > >>
> > > >>
> > > >> > On Wed, Apr 13, 2016 at 6:01 PM, Steve Grubb <sgrubb@redhat.com>
> > > wrote:
> > > >> > > On Wednesday, April 13, 2016 11:03:43 AM Deepika Sundar wrote:
> > > >> > > > As per my understanding audit log structure can be extendible
> > > based
> > > >> > > > on
> > > >> > > > requirements and in my project I need to add the identifier
> field
> > > >> > > > for
> > > >> > > > the
> > > >> > > > application and as of now I couldn't able to revel the What
> > > >> > > > application
> > > >> > > > trying to develop to update.So,Is there any possibility that
> > > without
> > > >> > > > breaking any Compatibility issues I can do it ?
> > > >> > >
> > > >> > > I have no idea what you are doing so there is no guarantee that
> it
> > > >> > > won't
> > > >> > > break
> > > >> > > something. If your project is going to be released as open
> source
> > > its
> > > >> > > generally best to collaborate with people so that problems can
> be
> > > >> > > pointed
> > > >> > > out.
> > > >> > > Otherwise you risk spending a lot of time on something only to
> have
> > > it
> > > >> > > rejected.
> > > >> > >
> > > >> > > -Steve
> > > >> > >
> > > >> > > > OR If any compatibility issues please specify .
> > > >> > > >
> > > >> > > > On Fri, Apr 8, 2016 at 12:12 AM, Paul Moore <
> paul@paul-moore.com>
> > > >> > > > wrote:
> > > >> > > > > On Thu, Apr 7, 2016 at 12:47 AM, Deepika Sundar
> > > >> > > > >
> > > >> > > > > <sundar.deepika18@gmail.com> wrote:
> > > >> > > > > > In the same way, in the kernel side
> > > >> > > > > > Can I able to add one new field to the audit log structure
> > > >> > > > > > without
> > > >> > > > >
> > > >> > > > > breaking
> > > >> > > > >
> > > >> > > > > > Compatibility? If so,
> > > >> > > > > >
> > > >> > > > > >   1.How can I add new field without breaking
> compatibility?
> > > >> > > > > >
> > > >> > > > > >      or
> > > >> > > > > >
> > > >> > > > > >   2.Is there any reserve field in audit log structure so
> that
> > > I
> > > >> > > > > > can
> > > >> > >
> > > >> > > make
> > > >> > >
> > > >> > > > > use
> > > >> > > > >
> > > >> > > > > >     of it?
> > > >> > > > >
> > > >> > > > > You need to be more specific about what you are trying to
> do.
> > > >> > > > > Speaking generally, unless you work to get your changed
> merged
> > > >> > > > > into
> > > >> > > > > the upstream kernel and userspace tools we cannot guarantee
> > > >> > > > > present or
> > > >> > > > > future compatibility.
> > > >> > > > >
> > > >> > > > > --
> > > >> > > > > paul moore
> > > >> > > > > www.paul-moore.com
> > > >>
> > > >
> > > >
> > > > --
> > > > Linux-audit mailing list
> > > > Linux-audit@redhat.com
> > > > https://www.redhat.com/mailman/listinfo/linux-audit
> > >
> > >
> > >
> > > --
> > > paul moore
> > > security @ redhat
> > >
>
> > --
> > Linux-audit mailing list
> > Linux-audit@redhat.com
> > https://www.redhat.com/mailman/listinfo/linux-audit
>
>
> - RGB
>
> --
> Richard Guy Briggs <rgb@redhat.com>
> Kernel Security Engineering, Base Operating Systems, Red Hat
> Remote, Ottawa, Canada
> Voice: +1.647.777.2635, Internal: (81) 32635
>

[-- Attachment #1.2: Type: text/html, Size: 35218 bytes --]

[-- Attachment #2: Type: text/plain, Size: 0 bytes --]

Re: New field to auditd.conf file

[Richard Guy Briggs]

On 16/04/28, Deepika Sundar wrote:
> Thank you for all replies and Sorry, I am new to this audit subsystem field.
> 
> I am facing the problem in the initial stage itself that,Where to add the
> new field in the source code, as per my work understanding in the below
> code,Is it possible to fine tune by adding new field say,*"APPLICATION ID" *in
> that structure.
> 
> If not possible, What is the impact ? *OR*
> Is it possible to add a new member without any impact?
> Please Suggest me with some IDEA where new field in audit structure can be
> added and It should not break compatibility.Provide Documentation where I
> can refer to do.
> Once I am clear with the method I can Share the code to review.

There is a list of technical resources at:
	http://people.redhat.com/sgrubb/audit/
with a section on "Specs".

In particular, please see:
	http://people.redhat.com/sgrubb/audit/audit-events.txt
	http://people.redhat.com/sgrubb/audit/audit-parse.txt

I don't understand what this is below...

>  Kernel/audit.c
> 
> void audit_log_task_info
> <http://lxr.free-electrons.com/ident?i=audit_log_task_info>(struct
> audit_buffer <http://lxr.free-electrons.com/ident?i=audit_buffer> *ab,
> struct task_struct <http://lxr.free-electrons.com/ident?i=task_struct>
> *tsk <http://lxr.free-electrons.com/ident?i=tsk>)
> 
> 1873 <http://lxr.free-electrons.com/source/kernel/audit.c#L1873> {1874
> <http://lxr.free-electrons.com/source/kernel/audit.c#L1874>
> const struct cred <http://lxr.free-electrons.com/ident?i=cred> *cred
> <http://lxr.free-electrons.com/ident?i=cred>;1875
> <http://lxr.free-electrons.com/source/kernel/audit.c#L1875>
> char comm <http://lxr.free-electrons.com/ident?i=comm>[sizeof(tsk
> <http://lxr.free-electrons.com/ident?i=tsk>->comm
> <http://lxr.free-electrons.com/ident?i=comm>)];1876
> <http://lxr.free-electrons.com/source/kernel/audit.c#L1876>
> char *tty <http://lxr.free-electrons.com/ident?i=tty>;1877
> <http://lxr.free-electrons.com/source/kernel/audit.c#L1877> 1878
> <http://lxr.free-electrons.com/source/kernel/audit.c#L1878>         if
> (!ab)1879 <http://lxr.free-electrons.com/source/kernel/audit.c#L1879>
>                return;1880
> <http://lxr.free-electrons.com/source/kernel/audit.c#L1880> 1881
> <http://lxr.free-electrons.com/source/kernel/audit.c#L1881>
> */* tsk == current */*1882
> <http://lxr.free-electrons.com/source/kernel/audit.c#L1882>
> cred <http://lxr.free-electrons.com/ident?i=cred> = current_cred
> <http://lxr.free-electrons.com/ident?i=current_cred>();1883
> <http://lxr.free-electrons.com/source/kernel/audit.c#L1883> 1884
> <http://lxr.free-electrons.com/source/kernel/audit.c#L1884>
> spin_lock_irq <http://lxr.free-electrons.com/ident?i=spin_lock_irq>(&tsk
> <http://lxr.free-electrons.com/ident?i=tsk>->sighand->siglock);1885
> <http://lxr.free-electrons.com/source/kernel/audit.c#L1885>         if
> (tsk <http://lxr.free-electrons.com/ident?i=tsk>->signal && tsk
> <http://lxr.free-electrons.com/ident?i=tsk>->signal->tty
> <http://lxr.free-electrons.com/ident?i=tty> && tsk
> <http://lxr.free-electrons.com/ident?i=tsk>->signal->tty
> <http://lxr.free-electrons.com/ident?i=tty>->name
> <http://lxr.free-electrons.com/ident?i=name>)1886
> <http://lxr.free-electrons.com/source/kernel/audit.c#L1886>
>      tty <http://lxr.free-electrons.com/ident?i=tty> = tsk
> <http://lxr.free-electrons.com/ident?i=tsk>->signal->tty
> <http://lxr.free-electrons.com/ident?i=tty>->name
> <http://lxr.free-electrons.com/ident?i=name>;1887
> <http://lxr.free-electrons.com/source/kernel/audit.c#L1887>
> else1888 <http://lxr.free-electrons.com/source/kernel/audit.c#L1888>
>               tty <http://lxr.free-electrons.com/ident?i=tty> =
> *"(none)"*;1889
> <http://lxr.free-electrons.com/source/kernel/audit.c#L1889>
> spin_unlock_irq
> <http://lxr.free-electrons.com/ident?i=spin_unlock_irq>(&tsk
> <http://lxr.free-electrons.com/ident?i=tsk>->sighand->siglock);1890
> <http://lxr.free-electrons.com/source/kernel/audit.c#L1890> 1891
> <http://lxr.free-electrons.com/source/kernel/audit.c#L1891>
> audit_log_format
> <http://lxr.free-electrons.com/ident?i=audit_log_format>(ab,1892
> <http://lxr.free-electrons.com/source/kernel/audit.c#L1892>
>               *" ppid=%d pid=%d auid=%u uid=%u gid=%u"*1893
> <http://lxr.free-electrons.com/source/kernel/audit.c#L1893>
>               *" euid=%u suid=%u fsuid=%u"*1894
> <http://lxr.free-electrons.com/source/kernel/audit.c#L1894>
>               *" egid=%u sgid=%u fsgid=%u tty=%s ses=%u"*,1895
> <http://lxr.free-electrons.com/source/kernel/audit.c#L1895>
>               task_ppid_nr
> <http://lxr.free-electrons.com/ident?i=task_ppid_nr>(tsk
> <http://lxr.free-electrons.com/ident?i=tsk>),1896
> <http://lxr.free-electrons.com/source/kernel/audit.c#L1896>
>               task_pid_nr
> <http://lxr.free-electrons.com/ident?i=task_pid_nr>(tsk
> <http://lxr.free-electrons.com/ident?i=tsk>),1897
> <http://lxr.free-electrons.com/source/kernel/audit.c#L1897>
>               from_kuid
> <http://lxr.free-electrons.com/ident?i=from_kuid>(&init_user_ns
> <http://lxr.free-electrons.com/ident?i=init_user_ns>,
> audit_get_loginuid
> <http://lxr.free-electrons.com/ident?i=audit_get_loginuid>(tsk
> <http://lxr.free-electrons.com/ident?i=tsk>)),1898
> <http://lxr.free-electrons.com/source/kernel/audit.c#L1898>
>               from_kuid
> <http://lxr.free-electrons.com/ident?i=from_kuid>(&init_user_ns
> <http://lxr.free-electrons.com/ident?i=init_user_ns>, cred
> <http://lxr.free-electrons.com/ident?i=cred>->uid
> <http://lxr.free-electrons.com/ident?i=uid>),1899
> <http://lxr.free-electrons.com/source/kernel/audit.c#L1899>
>               from_kgid
> <http://lxr.free-electrons.com/ident?i=from_kgid>(&init_user_ns
> <http://lxr.free-electrons.com/ident?i=init_user_ns>, cred
> <http://lxr.free-electrons.com/ident?i=cred>->gid
> <http://lxr.free-electrons.com/ident?i=gid>),1900
> <http://lxr.free-electrons.com/source/kernel/audit.c#L1900>
>               from_kuid
> <http://lxr.free-electrons.com/ident?i=from_kuid>(&init_user_ns
> <http://lxr.free-electrons.com/ident?i=init_user_ns>, cred
> <http://lxr.free-electrons.com/ident?i=cred>->euid),1901
> <http://lxr.free-electrons.com/source/kernel/audit.c#L1901>
>               from_kuid
> <http://lxr.free-electrons.com/ident?i=from_kuid>(&init_user_ns
> <http://lxr.free-electrons.com/ident?i=init_user_ns>, cred
> <http://lxr.free-electrons.com/ident?i=cred>->suid),1902
> <http://lxr.free-electrons.com/source/kernel/audit.c#L1902>
>               from_kuid
> <http://lxr.free-electrons.com/ident?i=from_kuid>(&init_user_ns
> <http://lxr.free-electrons.com/ident?i=init_user_ns>, cred
> <http://lxr.free-electrons.com/ident?i=cred>->fsuid),1903
> <http://lxr.free-electrons.com/source/kernel/audit.c#L1903>
>               from_kgid
> <http://lxr.free-electrons.com/ident?i=from_kgid>(&init_user_ns
> <http://lxr.free-electrons.com/ident?i=init_user_ns>, cred
> <http://lxr.free-electrons.com/ident?i=cred>->egid),1904
> <http://lxr.free-electrons.com/source/kernel/audit.c#L1904>
>               from_kgid
> <http://lxr.free-electrons.com/ident?i=from_kgid>(&init_user_ns
> <http://lxr.free-electrons.com/ident?i=init_user_ns>, cred
> <http://lxr.free-electrons.com/ident?i=cred>->sgid),1905
> <http://lxr.free-electrons.com/source/kernel/audit.c#L1905>
>               from_kgid
> <http://lxr.free-electrons.com/ident?i=from_kgid>(&init_user_ns
> <http://lxr.free-electrons.com/ident?i=init_user_ns>, cred
> <http://lxr.free-electrons.com/ident?i=cred>->fsgid),1906
> <http://lxr.free-electrons.com/source/kernel/audit.c#L1906>    +
>                tty <http://lxr.free-electrons.com/ident?i=tty>,
> audit_get_sessionid
> <http://lxr.free-electrons.com/ident?i=audit_get_sessionid>(tsk
> <http://lxr.free-electrons.com/ident?i=tsk>),*ApplicationID............);
> *1907 <http://lxr.free-electrons.com/source/kernel/audit.c#L1907> 1908
> <http://lxr.free-electrons.com/source/kernel/audit.c#L1908>
> audit_log_format
> <http://lxr.free-electrons.com/ident?i=audit_log_format>*(ab, **"
> comm="**);
> *1909 <http://lxr.free-electrons.com/source/kernel/audit.c#L1909>
>    audit_log_untrustedstring
> <http://lxr.free-electrons.com/ident?i=audit_log_untrustedstring>*(ab,
> *get_task_comm <http://lxr.free-electrons.com/ident?i=get_task_comm>*(*comm
> <http://lxr.free-electrons.com/ident?i=comm>*, *tsk
> <http://lxr.free-electrons.com/ident?i=tsk>*));
> *1910 <http://lxr.free-electrons.com/source/kernel/audit.c#L1910> 1911
> <http://lxr.free-electrons.com/source/kernel/audit.c#L1911>
> audit_log_d_path_exe
> <http://lxr.free-electrons.com/ident?i=audit_log_d_path_exe>*(ab, *tsk
> <http://lxr.free-electrons.com/ident?i=tsk>*->mm);
> *1912 <http://lxr.free-electrons.com/source/kernel/audit.c#L1912>
>    audit_log_task_context
> <http://lxr.free-electrons.com/ident?i=audit_log_task_context>*(ab);
> *1913 <http://lxr.free-electrons.com/source/kernel/audit.c#L1913>* }*
> 
> 
> 
> 
> 
> On Tue, Apr 26, 2016 at 6:07 AM, Richard Guy Briggs <rgb@redhat.com> wrote:
> > On 16/04/25, Deepika Sundar wrote:
> > > I wanted to add the namespace information in the audit record for example
> > > pid_ns,user_ns,net_ns ,Is there any possibility to add this field inside
> > > Audit structure?
> >
> > We've been looking at this issue for several years now and don't have an
> > obvious solution yet.  There has been discussion on this list.  It is on
> > the radar:
> >
> >         https://bugzilla.redhat.com/show_bug.cgi?id=1045666
> >
> >
> > > On Thu, Apr 21, 2016 at 6:28 PM, Paul Moore <pmoore@redhat.com> wrote:
> > > > As we've already mentioned several times, we can make no guarantees
> > > > regarding functionality or compatibility without seeing your code.
> > > > While it may be frustrating, this is how Open Source development
> > > > works.
> > > >
> > > > If you are interested in our help you will need to describe, in
> > > > detail, what you are trying to do and ideally post your existing code
> > > > so it can be reviewed.
> > > >
> > > > On Thu, Apr 21, 2016 at 1:25 AM, Deepika Sundar
> > > > <sundar.deepika18@gmail.com> wrote:
> > > > > Okay,If I update the Ausearch/aureport in order to aware of the new
> > > > field in
> > > > > the audit log structure can it be feasible one?
> > > > >
> > > > > On Wed, Apr 20, 2016 at 6:00 PM, Steve Grubb <sgrubb@redhat.com>
> > wrote:
> > > > >>
> > > > >> On Wednesday, April 20, 2016 10:05:42 AM Deepika Sundar wrote:
> > > > >> > In general way,Is there any compatibility issues if audit log
> > > > structure
> > > > >> > gets modified?
> > > > >>
> > > > >> Yes, there can be problems if the log structure gets modified.
> > > > >> Ausearch/report
> > > > >> are highly optimized for an exact format.
> > > > >>
> > > > >> -Steve
> > > > >>
> > > > >>
> > > > >> > On Wed, Apr 13, 2016 at 6:01 PM, Steve Grubb <sgrubb@redhat.com>
> > > > wrote:
> > > > >> > > On Wednesday, April 13, 2016 11:03:43 AM Deepika Sundar wrote:
> > > > >> > > > As per my understanding audit log structure can be extendible
> > > > based
> > > > >> > > > on
> > > > >> > > > requirements and in my project I need to add the identifier
> > field
> > > > >> > > > for
> > > > >> > > > the
> > > > >> > > > application and as of now I couldn't able to revel the What
> > > > >> > > > application
> > > > >> > > > trying to develop to update.So,Is there any possibility that
> > > > without
> > > > >> > > > breaking any Compatibility issues I can do it ?
> > > > >> > >
> > > > >> > > I have no idea what you are doing so there is no guarantee that
> > it
> > > > >> > > won't
> > > > >> > > break
> > > > >> > > something. If your project is going to be released as open
> > source
> > > > its
> > > > >> > > generally best to collaborate with people so that problems can
> > be
> > > > >> > > pointed
> > > > >> > > out.
> > > > >> > > Otherwise you risk spending a lot of time on something only to
> > have
> > > > it
> > > > >> > > rejected.
> > > > >> > >
> > > > >> > > -Steve
> > > > >> > >
> > > > >> > > > OR If any compatibility issues please specify .
> > > > >> > > >
> > > > >> > > > On Fri, Apr 8, 2016 at 12:12 AM, Paul Moore <
> > paul@paul-moore.com>
> > > > >> > > > wrote:
> > > > >> > > > > On Thu, Apr 7, 2016 at 12:47 AM, Deepika Sundar
> > > > >> > > > >
> > > > >> > > > > <sundar.deepika18@gmail.com> wrote:
> > > > >> > > > > > In the same way, in the kernel side
> > > > >> > > > > > Can I able to add one new field to the audit log structure
> > > > >> > > > > > without
> > > > >> > > > >
> > > > >> > > > > breaking
> > > > >> > > > >
> > > > >> > > > > > Compatibility? If so,
> > > > >> > > > > >
> > > > >> > > > > >   1.How can I add new field without breaking
> > compatibility?
> > > > >> > > > > >
> > > > >> > > > > >      or
> > > > >> > > > > >
> > > > >> > > > > >   2.Is there any reserve field in audit log structure so
> > that
> > > > I
> > > > >> > > > > > can
> > > > >> > >
> > > > >> > > make
> > > > >> > >
> > > > >> > > > > use
> > > > >> > > > >
> > > > >> > > > > >     of it?
> > > > >> > > > >
> > > > >> > > > > You need to be more specific about what you are trying to
> > do.
> > > > >> > > > > Speaking generally, unless you work to get your changed
> > merged
> > > > >> > > > > into
> > > > >> > > > > the upstream kernel and userspace tools we cannot guarantee
> > > > >> > > > > present or
> > > > >> > > > > future compatibility.
> > > > >> > > > >
> > > > >> > > > > www.paul-moore.com
> > > >
> > > > paul moore
> >
> > - RGB

- RGB

--
Richard Guy Briggs <rgb@redhat.com>
Kernel Security Engineering, Base Operating Systems, Red Hat
Remote, Ottawa, Canada
Voice: +1.647.777.2635, Internal: (81) 32635