From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 73B88C433F5 for ; Tue, 3 May 2022 16:57:39 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S239971AbiECRBK (ORCPT ); Tue, 3 May 2022 13:01:10 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:50540 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S236448AbiECRBG (ORCPT ); Tue, 3 May 2022 13:01:06 -0400 Received: from mail-wr1-x430.google.com (mail-wr1-x430.google.com [IPv6:2a00:1450:4864:20::430]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id E45DD1B782 for ; Tue, 3 May 2022 09:57:33 -0700 (PDT) Received: by mail-wr1-x430.google.com with SMTP id i5so24174971wrc.13 for ; Tue, 03 May 2022 09:57:33 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=paul-moore-com.20210112.gappssmtp.com; s=20210112; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=XYcnfPdP2YFPqxvw0fsggQcZVAnAQmS6dFaTxJq5i8k=; b=FMFy3jvLMavlPWUDXpgPBVGEmDKBOmqrk2zow+GU495ct9Ki1pF9MCmUXxg3XIuijJ 7UiXMDiSSxsYnSFlD0pXCbw/OH7UqpqB6cebpnJNCWnudjTCtvBIpQlnGiZ6Pyu4F5r9 YEH8lH6u8/ePw6ZY5VcjSBTYcxE0AUMNwfQZc2iTTVOEIWfsOSiTX6NEojVMTzDnB1qu Wkqpd5DKL6DbHPp3/m6+ugvYwV8swiUNdMvR/Cyr6YupYp1LEPz3SdtdbTHZztpalu4Z wzVV1X2ReIgYudhSwoi1V3so3GGZqHQ3oefuPpPzakVEdYTfamXhjCfksttVWa2DF1co +/vg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=XYcnfPdP2YFPqxvw0fsggQcZVAnAQmS6dFaTxJq5i8k=; b=K0W81JqWh/+8m7JS83rQkhLv3VWa/ESLBya8D26xnw0j4i+Yy3Bc0XWFDdmucTDDx+ c1q9lx2RzJpoudp4B48ufRYODq/0gd+h0t5tWfbnIo1sDm11kwqrha9WAbDlcCj9XwRx QhGOaBfxmgL60bm+qJ1ahsWGZqNv4zsd6Gu8wKBvpwZqWUAnj1JJKJhkgdHo7DYJnn2+ q8gITsu9et7hGeds/NK0xqdKBHZEQVwA7o1h7XZyJAUOP84MfoojGmRjvJKB5lZgWzlR EoaYxYqzRCEsX5C+PdkYWLF/HIaRPMEMoJxM2wVYci4CYC8mF69wuGAogiy7X4Q6r1um w9jQ== X-Gm-Message-State: AOAM531clv0iA0aBnTnVDH/Acz+ZAzJ4CTwl8hGNM/oPthRR5+YeBQar Vr9QOJaaL1n3fqj5F1b5vWTcc//Wd5uD4ffCc9nz X-Google-Smtp-Source: ABdhPJxUN2yPflP0Pq5iqeCasV+xXLJxQdUAMk0TgokW1vgrA793O558pwIKvJF1n8yAtA8kYwZyJ5/LKMf4x7DOZww= X-Received: by 2002:a5d:4806:0:b0:20a:da03:711b with SMTP id l6-20020a5d4806000000b0020ada03711bmr13043310wrq.395.1651597052331; Tue, 03 May 2022 09:57:32 -0700 (PDT) MIME-Version: 1.0 References: <20220503090212.1322050-1-svens@linux.ibm.com> <20220503090212.1322050-2-svens@linux.ibm.com> In-Reply-To: <20220503090212.1322050-2-svens@linux.ibm.com> From: Paul Moore Date: Tue, 3 May 2022 12:57:21 -0400 Message-ID: Subject: Re: [PATCH 2/2] audit: add filterkey to special audit messages To: Sven Schnelle Cc: Eric Paris , linux-audit@redhat.com, linux-kernel@vger.kernel.org Content-Type: text/plain; charset="UTF-8" Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Tue, May 3, 2022 at 5:02 AM Sven Schnelle wrote: > > For automated filtering/testing it is useful to have the > filter key logged in the message. > > Signed-off-by: Sven Schnelle > --- > kernel/auditsc.c | 1 + > 1 file changed, 1 insertion(+) The SOCKETCALL record, along with all of the others generated inside show_special(), are associated with a SYSCALL record which carries the "key=" field. As a general rule we try very hard not to duplicate fields across records in a single audit event. > diff --git a/kernel/auditsc.c b/kernel/auditsc.c > index c856893041c9..2e349660a56f 100644 > --- a/kernel/auditsc.c > +++ b/kernel/auditsc.c > @@ -1508,6 +1508,7 @@ static void show_special(struct audit_context *context, int *call_panic) > audit_log_time(context, &ab); > break; > } > + audit_log_key(ab, context->filterkey); > audit_log_end(ab); > } > > -- > 2.32.0 -- paul-moore.com From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.129.124]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.lore.kernel.org (Postfix) with ESMTPS id 62DC8C433F5 for ; Tue, 3 May 2022 16:58:12 +0000 (UTC) Received: from mimecast-mx02.redhat.com (mimecast-mx02.redhat.com [66.187.233.88]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id us-mta-581-f5YasSh-NkaKKsWy6PDdhQ-1; Tue, 03 May 2022 12:58:08 -0400 X-MC-Unique: f5YasSh-NkaKKsWy6PDdhQ-1 Received: from smtp.corp.redhat.com (int-mx09.intmail.prod.int.rdu2.redhat.com [10.11.54.9]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx02.redhat.com (Postfix) with ESMTPS id 27F2DD99F84; Tue, 3 May 2022 16:58:07 +0000 (UTC) Received: from mm-prod-listman-01.mail-001.prod.us-east-1.aws.redhat.com (unknown [10.30.29.100]) by smtp.corp.redhat.com (Postfix) with ESMTP id 2AD6E463BCC; Tue, 3 May 2022 16:58:05 +0000 (UTC) Received: from mm-prod-listman-01.mail-001.prod.us-east-1.aws.redhat.com (localhost [IPv6:::1]) by mm-prod-listman-01.mail-001.prod.us-east-1.aws.redhat.com (Postfix) with ESMTP id DB2E91947049; Tue, 3 May 2022 16:58:04 +0000 (UTC) Received: from smtp.corp.redhat.com (int-mx01.intmail.prod.int.rdu2.redhat.com [10.11.54.1]) by mm-prod-listman-01.mail-001.prod.us-east-1.aws.redhat.com (Postfix) with ESMTP id C0A1E1947043 for ; Tue, 3 May 2022 16:58:03 +0000 (UTC) Received: by smtp.corp.redhat.com (Postfix) id 96A6A40CFD19; Tue, 3 May 2022 16:58:03 +0000 (UTC) Received: from mimecast-mx02.redhat.com (mimecast01.extmail.prod.ext.rdu2.redhat.com [10.11.55.17]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 91DE9400DE5E for ; Tue, 3 May 2022 16:58:03 +0000 (UTC) Received: from us-smtp-1.mimecast.com (us-smtp-1.mimecast.com [207.211.31.81]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mimecast-mx02.redhat.com (Postfix) with ESMTPS id 1098286B8B5 for ; Tue, 3 May 2022 16:58:03 +0000 (UTC) Received: from mail-wr1-f49.google.com (mail-wr1-f49.google.com [209.85.221.49]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id us-mta-53-LVJgzPgBPrusMs1ofcBCSg-1; Tue, 03 May 2022 12:57:33 -0400 X-MC-Unique: LVJgzPgBPrusMs1ofcBCSg-1 Received: by mail-wr1-f49.google.com with SMTP id k2so24214410wrd.5 for ; Tue, 03 May 2022 09:57:33 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=XYcnfPdP2YFPqxvw0fsggQcZVAnAQmS6dFaTxJq5i8k=; b=YRBmNBRzlpCPrL/awgmoWb26JLhXDqiaqfRv2vqJH3TyrgyoMFCta0/JDcg8CbdXOb Xmz4AH7ie4eFiMYBhAiwMfilA3LzGkav8JY5vjpz0/lPElymImahS3WSDgdb/CZ2o3rb RJ+QRv7368Yn2qKnC5qBrGgFJXUNurA5vXZ10pE3oMqljzGENmA+zb+DY6Ytl9JudmTH W0WokWEBfKioPBg3K7ttopDcG8qgnRrPkR29BnkeNEpdMf7Dc+DRv/wXe9qSLxHSS0dZ 4rHDD0vqE8bJsI/g5Pange373LCA99z9Nh8bLaEXJnfMonij4PQvuTXXGHq86euAFTqF QQyQ== X-Gm-Message-State: AOAM532wk438M0WUYAzG/2ta1U44IcCW85IYqUO6yOJ9TMz6NDjwrMzi mtqVLFMSGzdUbX+AWn6BCsBjVQqh6H1/6k0Ufgsa X-Google-Smtp-Source: ABdhPJxUN2yPflP0Pq5iqeCasV+xXLJxQdUAMk0TgokW1vgrA793O558pwIKvJF1n8yAtA8kYwZyJ5/LKMf4x7DOZww= X-Received: by 2002:a5d:4806:0:b0:20a:da03:711b with SMTP id l6-20020a5d4806000000b0020ada03711bmr13043310wrq.395.1651597052331; Tue, 03 May 2022 09:57:32 -0700 (PDT) MIME-Version: 1.0 References: <20220503090212.1322050-1-svens@linux.ibm.com> <20220503090212.1322050-2-svens@linux.ibm.com> In-Reply-To: <20220503090212.1322050-2-svens@linux.ibm.com> From: Paul Moore Date: Tue, 3 May 2022 12:57:21 -0400 Message-ID: Subject: Re: [PATCH 2/2] audit: add filterkey to special audit messages To: Sven Schnelle X-Mimecast-Impersonation-Protect: Policy=CLT - Impersonation Protection Definition; Similar Internal Domain=false; Similar Monitored External Domain=false; Custom External Domain=false; Mimecast External Domain=false; Newly Observed Domain=false; Internal User Name=false; Custom Display Name List=false; Reply-to Address Mismatch=false; Targeted Threat Dictionary=false; Mimecast Threat Dictionary=false; Custom Threat Dictionary=false X-Scanned-By: MIMEDefang 2.84 on 10.11.54.1 X-BeenThere: linux-audit@redhat.com X-Mailman-Version: 2.1.29 Precedence: list List-Id: Linux Audit Discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: linux-audit@redhat.com, linux-kernel@vger.kernel.org, Eric Paris Errors-To: linux-audit-bounces@redhat.com Sender: "Linux-audit" X-Scanned-By: MIMEDefang 2.85 on 10.11.54.9 Authentication-Results: relay.mimecast.com; auth=pass smtp.auth=CUSA124A263 smtp.mailfrom=linux-audit-bounces@redhat.com X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit On Tue, May 3, 2022 at 5:02 AM Sven Schnelle wrote: > > For automated filtering/testing it is useful to have the > filter key logged in the message. > > Signed-off-by: Sven Schnelle > --- > kernel/auditsc.c | 1 + > 1 file changed, 1 insertion(+) The SOCKETCALL record, along with all of the others generated inside show_special(), are associated with a SYSCALL record which carries the "key=" field. As a general rule we try very hard not to duplicate fields across records in a single audit event. > diff --git a/kernel/auditsc.c b/kernel/auditsc.c > index c856893041c9..2e349660a56f 100644 > --- a/kernel/auditsc.c > +++ b/kernel/auditsc.c > @@ -1508,6 +1508,7 @@ static void show_special(struct audit_context *context, int *call_panic) > audit_log_time(context, &ab); > break; > } > + audit_log_key(ab, context->filterkey); > audit_log_end(ab); > } > > -- > 2.32.0 -- paul-moore.com -- Linux-audit mailing list Linux-audit@redhat.com https://listman.redhat.com/mailman/listinfo/linux-audit