* New field to auditd.conf file @ 2016-04-06 11:36 Deepika Sundar 2016-04-06 11:50 ` Steve Grubb 0 siblings, 1 reply; 16+ messages in thread From: Deepika Sundar @ 2016-04-06 11:36 UTC (permalink / raw) To: linux-audit [-- Attachment #1.1: Type: text/plain, Size: 67 bytes --] Can it be possible to add new field to auditd.conf file? -Deepika [-- Attachment #1.2: Type: text/html, Size: 134 bytes --] [-- Attachment #2: Type: text/plain, Size: 0 bytes --] ^ permalink raw reply [flat|nested] 16+ messages in thread
* Re: New field to auditd.conf file 2016-04-06 11:36 New field to auditd.conf file Deepika Sundar @ 2016-04-06 11:50 ` Steve Grubb 2016-04-06 11:55 ` Deepika Sundar 0 siblings, 1 reply; 16+ messages in thread From: Steve Grubb @ 2016-04-06 11:50 UTC (permalink / raw) To: linux-audit On Wednesday, April 06, 2016 05:06:08 PM Deepika Sundar wrote: > Can it be possible to add new field to auditd.conf file? That depends entirely on what functionality is being added and if its acceptable to people in general. -Steve ^ permalink raw reply [flat|nested] 16+ messages in thread
* Re: New field to auditd.conf file 2016-04-06 11:50 ` Steve Grubb @ 2016-04-06 11:55 ` Deepika Sundar 2016-04-06 12:17 ` Steve Grubb 0 siblings, 1 reply; 16+ messages in thread From: Deepika Sundar @ 2016-04-06 11:55 UTC (permalink / raw) To: linux-audit [-- Attachment #1.1: Type: text/plain, Size: 501 bytes --] Ok.If i wanted to add the new field to experiment on the requirement, which are the files(programs) that need changes or to be updated to take effect on new field in auditd.conf? On Wed, Apr 6, 2016 at 5:20 PM, Steve Grubb <sgrubb@redhat.com> wrote: > On Wednesday, April 06, 2016 05:06:08 PM Deepika Sundar wrote: > > Can it be possible to add new field to auditd.conf file? > > That depends entirely on what functionality is being added and if its > acceptable to people in general. > > -Steve > [-- Attachment #1.2: Type: text/html, Size: 884 bytes --] [-- Attachment #2: Type: text/plain, Size: 0 bytes --] ^ permalink raw reply [flat|nested] 16+ messages in thread
* Re: New field to auditd.conf file 2016-04-06 11:55 ` Deepika Sundar @ 2016-04-06 12:17 ` Steve Grubb 2016-04-07 4:47 ` Deepika Sundar 0 siblings, 1 reply; 16+ messages in thread From: Steve Grubb @ 2016-04-06 12:17 UTC (permalink / raw) To: linux-audit On Wednesday, April 06, 2016 05:25:36 PM Deepika Sundar wrote: > Ok.If i wanted to add the new field to experiment on the requirement, which > are the files(programs) that need changes or to be updated to take effect > on new field in auditd.conf? auditd-config.c > On Wed, Apr 6, 2016 at 5:20 PM, Steve Grubb <sgrubb@redhat.com> wrote: > > On Wednesday, April 06, 2016 05:06:08 PM Deepika Sundar wrote: > > > Can it be possible to add new field to auditd.conf file? > > > > That depends entirely on what functionality is being added and if its > > acceptable to people in general. > > > > -Steve ^ permalink raw reply [flat|nested] 16+ messages in thread
* Re: New field to auditd.conf file 2016-04-06 12:17 ` Steve Grubb @ 2016-04-07 4:47 ` Deepika Sundar 2016-04-07 18:42 ` Paul Moore 0 siblings, 1 reply; 16+ messages in thread From: Deepika Sundar @ 2016-04-07 4:47 UTC (permalink / raw) To: Steve Grubb; +Cc: linux-audit [-- Attachment #1.1: Type: text/plain, Size: 990 bytes --] In the same way, in the kernel side Can I able to add one new field to the audit log structure without breaking Compatibility?If so, 1.How can I add new field without breaking compatibility? or 2. Is there any reserve field in audit log structure so that I can make use of it? On Wed, Apr 6, 2016 at 5:47 PM, Steve Grubb <sgrubb@redhat.com> wrote: > On Wednesday, April 06, 2016 05:25:36 PM Deepika Sundar wrote: > > Ok.If i wanted to add the new field to experiment on the requirement, > which > > are the files(programs) that need changes or to be updated to take > effect > > on new field in auditd.conf? > > auditd-config.c > > > > On Wed, Apr 6, 2016 at 5:20 PM, Steve Grubb <sgrubb@redhat.com> wrote: > > > On Wednesday, April 06, 2016 05:06:08 PM Deepika Sundar wrote: > > > > Can it be possible to add new field to auditd.conf file? > > > > > > That depends entirely on what functionality is being added and if its > > > acceptable to people in general. > > > > > > -Steve > > [-- Attachment #1.2: Type: text/html, Size: 1583 bytes --] [-- Attachment #2: Type: text/plain, Size: 0 bytes --] ^ permalink raw reply [flat|nested] 16+ messages in thread
* Re: New field to auditd.conf file 2016-04-07 4:47 ` Deepika Sundar @ 2016-04-07 18:42 ` Paul Moore 2016-04-13 5:33 ` Deepika Sundar 0 siblings, 1 reply; 16+ messages in thread From: Paul Moore @ 2016-04-07 18:42 UTC (permalink / raw) To: Deepika Sundar; +Cc: linux-audit On Thu, Apr 7, 2016 at 12:47 AM, Deepika Sundar <sundar.deepika18@gmail.com> wrote: > In the same way, in the kernel side > Can I able to add one new field to the audit log structure without breaking > Compatibility? If so, > 1.How can I add new field without breaking compatibility? > or > 2.Is there any reserve field in audit log structure so that I can make use > of it? You need to be more specific about what you are trying to do. Speaking generally, unless you work to get your changed merged into the upstream kernel and userspace tools we cannot guarantee present or future compatibility. -- paul moore www.paul-moore.com ^ permalink raw reply [flat|nested] 16+ messages in thread
* Re: New field to auditd.conf file 2016-04-07 18:42 ` Paul Moore @ 2016-04-13 5:33 ` Deepika Sundar 2016-04-13 12:31 ` Steve Grubb 0 siblings, 1 reply; 16+ messages in thread From: Deepika Sundar @ 2016-04-13 5:33 UTC (permalink / raw) To: Paul Moore, Steve Grubb, linux-audit [-- Attachment #1.1: Type: text/plain, Size: 1143 bytes --] As per my understanding audit log structure can be extendible based on requirements and in my project I need to add the identifier field for the application and as of now I couldn't able to revel the What application trying to develop to update.So,Is there any possibility that without breaking any Compatibility issues I can do it ? OR If any compatibility issues please specify . On Fri, Apr 8, 2016 at 12:12 AM, Paul Moore <paul@paul-moore.com> wrote: > On Thu, Apr 7, 2016 at 12:47 AM, Deepika Sundar > <sundar.deepika18@gmail.com> wrote: > > In the same way, in the kernel side > > Can I able to add one new field to the audit log structure without > breaking > > Compatibility? If so, > > 1.How can I add new field without breaking compatibility? > > or > > 2.Is there any reserve field in audit log structure so that I can make > use > > of it? > > You need to be more specific about what you are trying to do. > Speaking generally, unless you work to get your changed merged into > the upstream kernel and userspace tools we cannot guarantee present or > future compatibility. > > -- > paul moore > www.paul-moore.com > [-- Attachment #1.2: Type: text/html, Size: 1762 bytes --] [-- Attachment #2: Type: text/plain, Size: 0 bytes --] ^ permalink raw reply [flat|nested] 16+ messages in thread
* Re: New field to auditd.conf file 2016-04-13 5:33 ` Deepika Sundar @ 2016-04-13 12:31 ` Steve Grubb 2016-04-20 4:35 ` Deepika Sundar 0 siblings, 1 reply; 16+ messages in thread From: Steve Grubb @ 2016-04-13 12:31 UTC (permalink / raw) To: Deepika Sundar; +Cc: linux-audit On Wednesday, April 13, 2016 11:03:43 AM Deepika Sundar wrote: > As per my understanding audit log structure can be extendible based on > requirements and in my project I need to add the identifier field for the > application and as of now I couldn't able to revel the What application > trying to develop to update.So,Is there any possibility that without > breaking any Compatibility issues I can do it ? I have no idea what you are doing so there is no guarantee that it won't break something. If your project is going to be released as open source its generally best to collaborate with people so that problems can be pointed out. Otherwise you risk spending a lot of time on something only to have it rejected. -Steve > OR If any compatibility issues please specify . > > On Fri, Apr 8, 2016 at 12:12 AM, Paul Moore <paul@paul-moore.com> wrote: > > On Thu, Apr 7, 2016 at 12:47 AM, Deepika Sundar > > > > <sundar.deepika18@gmail.com> wrote: > > > In the same way, in the kernel side > > > Can I able to add one new field to the audit log structure without > > > > breaking > > > > > Compatibility? If so, > > > > > > 1.How can I add new field without breaking compatibility? > > > > > > or > > > > > > 2.Is there any reserve field in audit log structure so that I can make > > > > use > > > > > of it? > > > > You need to be more specific about what you are trying to do. > > Speaking generally, unless you work to get your changed merged into > > the upstream kernel and userspace tools we cannot guarantee present or > > future compatibility. > > > > -- > > paul moore > > www.paul-moore.com ^ permalink raw reply [flat|nested] 16+ messages in thread
* Re: New field to auditd.conf file 2016-04-13 12:31 ` Steve Grubb @ 2016-04-20 4:35 ` Deepika Sundar 2016-04-20 12:30 ` Steve Grubb 0 siblings, 1 reply; 16+ messages in thread From: Deepika Sundar @ 2016-04-20 4:35 UTC (permalink / raw) To: Steve Grubb, Paul Moore, linux-audit [-- Attachment #1.1: Type: text/plain, Size: 1877 bytes --] In general way,Is there any compatibility issues if audit log structure gets modified? On Wed, Apr 13, 2016 at 6:01 PM, Steve Grubb <sgrubb@redhat.com> wrote: > On Wednesday, April 13, 2016 11:03:43 AM Deepika Sundar wrote: > > As per my understanding audit log structure can be extendible based on > > requirements and in my project I need to add the identifier field for the > > application and as of now I couldn't able to revel the What application > > trying to develop to update.So,Is there any possibility that without > > breaking any Compatibility issues I can do it ? > > I have no idea what you are doing so there is no guarantee that it won't > break > something. If your project is going to be released as open source its > generally best to collaborate with people so that problems can be pointed > out. > Otherwise you risk spending a lot of time on something only to have it > rejected. > > -Steve > > > > OR If any compatibility issues please specify . > > > > On Fri, Apr 8, 2016 at 12:12 AM, Paul Moore <paul@paul-moore.com> wrote: > > > On Thu, Apr 7, 2016 at 12:47 AM, Deepika Sundar > > > > > > <sundar.deepika18@gmail.com> wrote: > > > > In the same way, in the kernel side > > > > Can I able to add one new field to the audit log structure without > > > > > > breaking > > > > > > > Compatibility? If so, > > > > > > > > 1.How can I add new field without breaking compatibility? > > > > > > > > or > > > > > > > > 2.Is there any reserve field in audit log structure so that I can > make > > > > > > use > > > > > > > of it? > > > > > > You need to be more specific about what you are trying to do. > > > Speaking generally, unless you work to get your changed merged into > > > the upstream kernel and userspace tools we cannot guarantee present or > > > future compatibility. > > > > > > -- > > > paul moore > > > www.paul-moore.com > > [-- Attachment #1.2: Type: text/html, Size: 2851 bytes --] [-- Attachment #2: Type: text/plain, Size: 0 bytes --] ^ permalink raw reply [flat|nested] 16+ messages in thread
* Re: New field to auditd.conf file 2016-04-20 4:35 ` Deepika Sundar @ 2016-04-20 12:30 ` Steve Grubb 2016-04-21 5:25 ` Deepika Sundar 0 siblings, 1 reply; 16+ messages in thread From: Steve Grubb @ 2016-04-20 12:30 UTC (permalink / raw) To: Deepika Sundar, linux-audit On Wednesday, April 20, 2016 10:05:42 AM Deepika Sundar wrote: > In general way,Is there any compatibility issues if audit log structure > gets modified? Yes, there can be problems if the log structure gets modified. Ausearch/report are highly optimized for an exact format. -Steve > On Wed, Apr 13, 2016 at 6:01 PM, Steve Grubb <sgrubb@redhat.com> wrote: > > On Wednesday, April 13, 2016 11:03:43 AM Deepika Sundar wrote: > > > As per my understanding audit log structure can be extendible based on > > > requirements and in my project I need to add the identifier field for > > > the > > > application and as of now I couldn't able to revel the What application > > > trying to develop to update.So,Is there any possibility that without > > > breaking any Compatibility issues I can do it ? > > > > I have no idea what you are doing so there is no guarantee that it won't > > break > > something. If your project is going to be released as open source its > > generally best to collaborate with people so that problems can be pointed > > out. > > Otherwise you risk spending a lot of time on something only to have it > > rejected. > > > > -Steve > > > > > OR If any compatibility issues please specify . > > > > > > On Fri, Apr 8, 2016 at 12:12 AM, Paul Moore <paul@paul-moore.com> wrote: > > > > On Thu, Apr 7, 2016 at 12:47 AM, Deepika Sundar > > > > > > > > <sundar.deepika18@gmail.com> wrote: > > > > > In the same way, in the kernel side > > > > > Can I able to add one new field to the audit log structure without > > > > > > > > breaking > > > > > > > > > Compatibility? If so, > > > > > > > > > > 1.How can I add new field without breaking compatibility? > > > > > > > > > > or > > > > > > > > > > 2.Is there any reserve field in audit log structure so that I can > > > > make > > > > > > use > > > > > > > > > of it? > > > > > > > > You need to be more specific about what you are trying to do. > > > > Speaking generally, unless you work to get your changed merged into > > > > the upstream kernel and userspace tools we cannot guarantee present or > > > > future compatibility. > > > > > > > > -- > > > > paul moore > > > > www.paul-moore.com ^ permalink raw reply [flat|nested] 16+ messages in thread
* Re: New field to auditd.conf file 2016-04-20 12:30 ` Steve Grubb @ 2016-04-21 5:25 ` Deepika Sundar 2016-04-21 12:58 ` Paul Moore 0 siblings, 1 reply; 16+ messages in thread From: Deepika Sundar @ 2016-04-21 5:25 UTC (permalink / raw) To: Steve Grubb, linux-audit [-- Attachment #1.1: Type: text/plain, Size: 2515 bytes --] Okay,If I update the Ausearch/aureport in order to aware of the new field in the audit log structure can it be feasible one? On Wed, Apr 20, 2016 at 6:00 PM, Steve Grubb <sgrubb@redhat.com> wrote: > On Wednesday, April 20, 2016 10:05:42 AM Deepika Sundar wrote: > > In general way,Is there any compatibility issues if audit log structure > > gets modified? > > Yes, there can be problems if the log structure gets modified. > Ausearch/report > are highly optimized for an exact format. > > -Steve > > > > On Wed, Apr 13, 2016 at 6:01 PM, Steve Grubb <sgrubb@redhat.com> wrote: > > > On Wednesday, April 13, 2016 11:03:43 AM Deepika Sundar wrote: > > > > As per my understanding audit log structure can be extendible based > on > > > > requirements and in my project I need to add the identifier field for > > > > the > > > > application and as of now I couldn't able to revel the What > application > > > > trying to develop to update.So,Is there any possibility that without > > > > breaking any Compatibility issues I can do it ? > > > > > > I have no idea what you are doing so there is no guarantee that it > won't > > > break > > > something. If your project is going to be released as open source its > > > generally best to collaborate with people so that problems can be > pointed > > > out. > > > Otherwise you risk spending a lot of time on something only to have it > > > rejected. > > > > > > -Steve > > > > > > > OR If any compatibility issues please specify . > > > > > > > > On Fri, Apr 8, 2016 at 12:12 AM, Paul Moore <paul@paul-moore.com> > wrote: > > > > > On Thu, Apr 7, 2016 at 12:47 AM, Deepika Sundar > > > > > > > > > > <sundar.deepika18@gmail.com> wrote: > > > > > > In the same way, in the kernel side > > > > > > Can I able to add one new field to the audit log structure > without > > > > > > > > > > breaking > > > > > > > > > > > Compatibility? If so, > > > > > > > > > > > > 1.How can I add new field without breaking compatibility? > > > > > > > > > > > > or > > > > > > > > > > > > 2.Is there any reserve field in audit log structure so that I > can > > > > > > make > > > > > > > > use > > > > > > > > > > > of it? > > > > > > > > > > You need to be more specific about what you are trying to do. > > > > > Speaking generally, unless you work to get your changed merged into > > > > > the upstream kernel and userspace tools we cannot guarantee > present or > > > > > future compatibility. > > > > > > > > > > -- > > > > > paul moore > > > > > www.paul-moore.com > > [-- Attachment #1.2: Type: text/html, Size: 3879 bytes --] [-- Attachment #2: Type: text/plain, Size: 0 bytes --] ^ permalink raw reply [flat|nested] 16+ messages in thread
* Re: New field to auditd.conf file 2016-04-21 5:25 ` Deepika Sundar @ 2016-04-21 12:58 ` Paul Moore 2016-04-25 6:56 ` Deepika Sundar 0 siblings, 1 reply; 16+ messages in thread From: Paul Moore @ 2016-04-21 12:58 UTC (permalink / raw) To: Deepika Sundar; +Cc: linux-audit As we've already mentioned several times, we can make no guarantees regarding functionality or compatibility without seeing your code. While it may be frustrating, this is how Open Source development works. If you are interested in our help you will need to describe, in detail, what you are trying to do and ideally post your existing code so it can be reviewed. On Thu, Apr 21, 2016 at 1:25 AM, Deepika Sundar <sundar.deepika18@gmail.com> wrote: > Okay,If I update the Ausearch/aureport in order to aware of the new field in > the audit log structure can it be feasible one? > > On Wed, Apr 20, 2016 at 6:00 PM, Steve Grubb <sgrubb@redhat.com> wrote: >> >> On Wednesday, April 20, 2016 10:05:42 AM Deepika Sundar wrote: >> > In general way,Is there any compatibility issues if audit log structure >> > gets modified? >> >> Yes, there can be problems if the log structure gets modified. >> Ausearch/report >> are highly optimized for an exact format. >> >> -Steve >> >> >> > On Wed, Apr 13, 2016 at 6:01 PM, Steve Grubb <sgrubb@redhat.com> wrote: >> > > On Wednesday, April 13, 2016 11:03:43 AM Deepika Sundar wrote: >> > > > As per my understanding audit log structure can be extendible based >> > > > on >> > > > requirements and in my project I need to add the identifier field >> > > > for >> > > > the >> > > > application and as of now I couldn't able to revel the What >> > > > application >> > > > trying to develop to update.So,Is there any possibility that without >> > > > breaking any Compatibility issues I can do it ? >> > > >> > > I have no idea what you are doing so there is no guarantee that it >> > > won't >> > > break >> > > something. If your project is going to be released as open source its >> > > generally best to collaborate with people so that problems can be >> > > pointed >> > > out. >> > > Otherwise you risk spending a lot of time on something only to have it >> > > rejected. >> > > >> > > -Steve >> > > >> > > > OR If any compatibility issues please specify . >> > > > >> > > > On Fri, Apr 8, 2016 at 12:12 AM, Paul Moore <paul@paul-moore.com> >> > > > wrote: >> > > > > On Thu, Apr 7, 2016 at 12:47 AM, Deepika Sundar >> > > > > >> > > > > <sundar.deepika18@gmail.com> wrote: >> > > > > > In the same way, in the kernel side >> > > > > > Can I able to add one new field to the audit log structure >> > > > > > without >> > > > > >> > > > > breaking >> > > > > >> > > > > > Compatibility? If so, >> > > > > > >> > > > > > 1.How can I add new field without breaking compatibility? >> > > > > > >> > > > > > or >> > > > > > >> > > > > > 2.Is there any reserve field in audit log structure so that I >> > > > > > can >> > > >> > > make >> > > >> > > > > use >> > > > > >> > > > > > of it? >> > > > > >> > > > > You need to be more specific about what you are trying to do. >> > > > > Speaking generally, unless you work to get your changed merged >> > > > > into >> > > > > the upstream kernel and userspace tools we cannot guarantee >> > > > > present or >> > > > > future compatibility. >> > > > > >> > > > > -- >> > > > > paul moore >> > > > > www.paul-moore.com >> > > > -- > Linux-audit mailing list > Linux-audit@redhat.com > https://www.redhat.com/mailman/listinfo/linux-audit -- paul moore security @ redhat ^ permalink raw reply [flat|nested] 16+ messages in thread
* Re: New field to auditd.conf file 2016-04-21 12:58 ` Paul Moore @ 2016-04-25 6:56 ` Deepika Sundar 2016-04-26 0:37 ` Richard Guy Briggs 0 siblings, 1 reply; 16+ messages in thread From: Deepika Sundar @ 2016-04-25 6:56 UTC (permalink / raw) To: Paul Moore; +Cc: linux-audit [-- Attachment #1.1: Type: text/plain, Size: 3722 bytes --] I wanted to add the namespace information in the audit record for example pid_ns,user_ns,net_ns ,Is there any possibility to add this field inside Audit structure? On Thu, Apr 21, 2016 at 6:28 PM, Paul Moore <pmoore@redhat.com> wrote: > As we've already mentioned several times, we can make no guarantees > regarding functionality or compatibility without seeing your code. > While it may be frustrating, this is how Open Source development > works. > > If you are interested in our help you will need to describe, in > detail, what you are trying to do and ideally post your existing code > so it can be reviewed. > > On Thu, Apr 21, 2016 at 1:25 AM, Deepika Sundar > <sundar.deepika18@gmail.com> wrote: > > Okay,If I update the Ausearch/aureport in order to aware of the new > field in > > the audit log structure can it be feasible one? > > > > On Wed, Apr 20, 2016 at 6:00 PM, Steve Grubb <sgrubb@redhat.com> wrote: > >> > >> On Wednesday, April 20, 2016 10:05:42 AM Deepika Sundar wrote: > >> > In general way,Is there any compatibility issues if audit log > structure > >> > gets modified? > >> > >> Yes, there can be problems if the log structure gets modified. > >> Ausearch/report > >> are highly optimized for an exact format. > >> > >> -Steve > >> > >> > >> > On Wed, Apr 13, 2016 at 6:01 PM, Steve Grubb <sgrubb@redhat.com> > wrote: > >> > > On Wednesday, April 13, 2016 11:03:43 AM Deepika Sundar wrote: > >> > > > As per my understanding audit log structure can be extendible > based > >> > > > on > >> > > > requirements and in my project I need to add the identifier field > >> > > > for > >> > > > the > >> > > > application and as of now I couldn't able to revel the What > >> > > > application > >> > > > trying to develop to update.So,Is there any possibility that > without > >> > > > breaking any Compatibility issues I can do it ? > >> > > > >> > > I have no idea what you are doing so there is no guarantee that it > >> > > won't > >> > > break > >> > > something. If your project is going to be released as open source > its > >> > > generally best to collaborate with people so that problems can be > >> > > pointed > >> > > out. > >> > > Otherwise you risk spending a lot of time on something only to have > it > >> > > rejected. > >> > > > >> > > -Steve > >> > > > >> > > > OR If any compatibility issues please specify . > >> > > > > >> > > > On Fri, Apr 8, 2016 at 12:12 AM, Paul Moore <paul@paul-moore.com> > >> > > > wrote: > >> > > > > On Thu, Apr 7, 2016 at 12:47 AM, Deepika Sundar > >> > > > > > >> > > > > <sundar.deepika18@gmail.com> wrote: > >> > > > > > In the same way, in the kernel side > >> > > > > > Can I able to add one new field to the audit log structure > >> > > > > > without > >> > > > > > >> > > > > breaking > >> > > > > > >> > > > > > Compatibility? If so, > >> > > > > > > >> > > > > > 1.How can I add new field without breaking compatibility? > >> > > > > > > >> > > > > > or > >> > > > > > > >> > > > > > 2.Is there any reserve field in audit log structure so that > I > >> > > > > > can > >> > > > >> > > make > >> > > > >> > > > > use > >> > > > > > >> > > > > > of it? > >> > > > > > >> > > > > You need to be more specific about what you are trying to do. > >> > > > > Speaking generally, unless you work to get your changed merged > >> > > > > into > >> > > > > the upstream kernel and userspace tools we cannot guarantee > >> > > > > present or > >> > > > > future compatibility. > >> > > > > > >> > > > > -- > >> > > > > paul moore > >> > > > > www.paul-moore.com > >> > > > > > > -- > > Linux-audit mailing list > > Linux-audit@redhat.com > > https://www.redhat.com/mailman/listinfo/linux-audit > > > > -- > paul moore > security @ redhat > [-- Attachment #1.2: Type: text/html, Size: 6011 bytes --] [-- Attachment #2: Type: text/plain, Size: 0 bytes --] ^ permalink raw reply [flat|nested] 16+ messages in thread
* Re: New field to auditd.conf file 2016-04-25 6:56 ` Deepika Sundar @ 2016-04-26 0:37 ` Richard Guy Briggs 2016-04-28 5:59 ` Deepika Sundar 0 siblings, 1 reply; 16+ messages in thread From: Richard Guy Briggs @ 2016-04-26 0:37 UTC (permalink / raw) To: Deepika Sundar; +Cc: linux-audit On 16/04/25, Deepika Sundar wrote: > I wanted to add the namespace information in the audit record for example > pid_ns,user_ns,net_ns ,Is there any possibility to add this field inside > Audit structure? We've been looking at this issue for several years now and don't have an obvious solution yet. There has been discussion on this list. It is on the radar: https://bugzilla.redhat.com/show_bug.cgi?id=1045666 > On Thu, Apr 21, 2016 at 6:28 PM, Paul Moore <pmoore@redhat.com> wrote: > > As we've already mentioned several times, we can make no guarantees > > regarding functionality or compatibility without seeing your code. > > While it may be frustrating, this is how Open Source development > > works. > > > > If you are interested in our help you will need to describe, in > > detail, what you are trying to do and ideally post your existing code > > so it can be reviewed. > > > > On Thu, Apr 21, 2016 at 1:25 AM, Deepika Sundar > > <sundar.deepika18@gmail.com> wrote: > > > Okay,If I update the Ausearch/aureport in order to aware of the new > > field in > > > the audit log structure can it be feasible one? > > > > > > On Wed, Apr 20, 2016 at 6:00 PM, Steve Grubb <sgrubb@redhat.com> wrote: > > >> > > >> On Wednesday, April 20, 2016 10:05:42 AM Deepika Sundar wrote: > > >> > In general way,Is there any compatibility issues if audit log > > structure > > >> > gets modified? > > >> > > >> Yes, there can be problems if the log structure gets modified. > > >> Ausearch/report > > >> are highly optimized for an exact format. > > >> > > >> -Steve > > >> > > >> > > >> > On Wed, Apr 13, 2016 at 6:01 PM, Steve Grubb <sgrubb@redhat.com> > > wrote: > > >> > > On Wednesday, April 13, 2016 11:03:43 AM Deepika Sundar wrote: > > >> > > > As per my understanding audit log structure can be extendible > > based > > >> > > > on > > >> > > > requirements and in my project I need to add the identifier field > > >> > > > for > > >> > > > the > > >> > > > application and as of now I couldn't able to revel the What > > >> > > > application > > >> > > > trying to develop to update.So,Is there any possibility that > > without > > >> > > > breaking any Compatibility issues I can do it ? > > >> > > > > >> > > I have no idea what you are doing so there is no guarantee that it > > >> > > won't > > >> > > break > > >> > > something. If your project is going to be released as open source > > its > > >> > > generally best to collaborate with people so that problems can be > > >> > > pointed > > >> > > out. > > >> > > Otherwise you risk spending a lot of time on something only to have > > it > > >> > > rejected. > > >> > > > > >> > > -Steve > > >> > > > > >> > > > OR If any compatibility issues please specify . > > >> > > > > > >> > > > On Fri, Apr 8, 2016 at 12:12 AM, Paul Moore <paul@paul-moore.com> > > >> > > > wrote: > > >> > > > > On Thu, Apr 7, 2016 at 12:47 AM, Deepika Sundar > > >> > > > > > > >> > > > > <sundar.deepika18@gmail.com> wrote: > > >> > > > > > In the same way, in the kernel side > > >> > > > > > Can I able to add one new field to the audit log structure > > >> > > > > > without > > >> > > > > > > >> > > > > breaking > > >> > > > > > > >> > > > > > Compatibility? If so, > > >> > > > > > > > >> > > > > > 1.How can I add new field without breaking compatibility? > > >> > > > > > > > >> > > > > > or > > >> > > > > > > > >> > > > > > 2.Is there any reserve field in audit log structure so that > > I > > >> > > > > > can > > >> > > > > >> > > make > > >> > > > > >> > > > > use > > >> > > > > > > >> > > > > > of it? > > >> > > > > > > >> > > > > You need to be more specific about what you are trying to do. > > >> > > > > Speaking generally, unless you work to get your changed merged > > >> > > > > into > > >> > > > > the upstream kernel and userspace tools we cannot guarantee > > >> > > > > present or > > >> > > > > future compatibility. > > >> > > > > > > >> > > > > -- > > >> > > > > paul moore > > >> > > > > www.paul-moore.com > > >> > > > > > > > > > -- > > > Linux-audit mailing list > > > Linux-audit@redhat.com > > > https://www.redhat.com/mailman/listinfo/linux-audit > > > > > > > > -- > > paul moore > > security @ redhat > > > -- > Linux-audit mailing list > Linux-audit@redhat.com > https://www.redhat.com/mailman/listinfo/linux-audit - RGB -- Richard Guy Briggs <rgb@redhat.com> Kernel Security Engineering, Base Operating Systems, Red Hat Remote, Ottawa, Canada Voice: +1.647.777.2635, Internal: (81) 32635 ^ permalink raw reply [flat|nested] 16+ messages in thread
* Re: New field to auditd.conf file 2016-04-26 0:37 ` Richard Guy Briggs @ 2016-04-28 5:59 ` Deepika Sundar 2016-04-29 2:47 ` Richard Guy Briggs 0 siblings, 1 reply; 16+ messages in thread From: Deepika Sundar @ 2016-04-28 5:59 UTC (permalink / raw) To: Richard Guy Briggs, linux-audit, Paul Moore [-- Attachment #1.1: Type: text/plain, Size: 13182 bytes --] Thank you for all replies and Sorry, I am new to this audit subsystem field. I am facing the problem in the initial stage itself that,Where to add the new field in the source code, as per my work understanding in the below code,Is it possible to fine tune by adding new field say,*"APPLICATION ID" *in that structure. If not possible, What is the impact ? *OR* Is it possible to add a new member without any impact? Please Suggest me with some IDEA where new field in audit structure can be added and It should not break compatibility.Provide Documentation where I can refer to do. Once I am clear with the method I can Share the code to review. Kernel/audit.c void audit_log_task_info <http://lxr.free-electrons.com/ident?i=audit_log_task_info>(struct audit_buffer <http://lxr.free-electrons.com/ident?i=audit_buffer> *ab, struct task_struct <http://lxr.free-electrons.com/ident?i=task_struct> *tsk <http://lxr.free-electrons.com/ident?i=tsk>) 1873 <http://lxr.free-electrons.com/source/kernel/audit.c#L1873> {1874 <http://lxr.free-electrons.com/source/kernel/audit.c#L1874> const struct cred <http://lxr.free-electrons.com/ident?i=cred> *cred <http://lxr.free-electrons.com/ident?i=cred>;1875 <http://lxr.free-electrons.com/source/kernel/audit.c#L1875> char comm <http://lxr.free-electrons.com/ident?i=comm>[sizeof(tsk <http://lxr.free-electrons.com/ident?i=tsk>->comm <http://lxr.free-electrons.com/ident?i=comm>)];1876 <http://lxr.free-electrons.com/source/kernel/audit.c#L1876> char *tty <http://lxr.free-electrons.com/ident?i=tty>;1877 <http://lxr.free-electrons.com/source/kernel/audit.c#L1877> 1878 <http://lxr.free-electrons.com/source/kernel/audit.c#L1878> if (!ab)1879 <http://lxr.free-electrons.com/source/kernel/audit.c#L1879> return;1880 <http://lxr.free-electrons.com/source/kernel/audit.c#L1880> 1881 <http://lxr.free-electrons.com/source/kernel/audit.c#L1881> */* tsk == current */*1882 <http://lxr.free-electrons.com/source/kernel/audit.c#L1882> cred <http://lxr.free-electrons.com/ident?i=cred> = current_cred <http://lxr.free-electrons.com/ident?i=current_cred>();1883 <http://lxr.free-electrons.com/source/kernel/audit.c#L1883> 1884 <http://lxr.free-electrons.com/source/kernel/audit.c#L1884> spin_lock_irq <http://lxr.free-electrons.com/ident?i=spin_lock_irq>(&tsk <http://lxr.free-electrons.com/ident?i=tsk>->sighand->siglock);1885 <http://lxr.free-electrons.com/source/kernel/audit.c#L1885> if (tsk <http://lxr.free-electrons.com/ident?i=tsk>->signal && tsk <http://lxr.free-electrons.com/ident?i=tsk>->signal->tty <http://lxr.free-electrons.com/ident?i=tty> && tsk <http://lxr.free-electrons.com/ident?i=tsk>->signal->tty <http://lxr.free-electrons.com/ident?i=tty>->name <http://lxr.free-electrons.com/ident?i=name>)1886 <http://lxr.free-electrons.com/source/kernel/audit.c#L1886> tty <http://lxr.free-electrons.com/ident?i=tty> = tsk <http://lxr.free-electrons.com/ident?i=tsk>->signal->tty <http://lxr.free-electrons.com/ident?i=tty>->name <http://lxr.free-electrons.com/ident?i=name>;1887 <http://lxr.free-electrons.com/source/kernel/audit.c#L1887> else1888 <http://lxr.free-electrons.com/source/kernel/audit.c#L1888> tty <http://lxr.free-electrons.com/ident?i=tty> = *"(none)"*;1889 <http://lxr.free-electrons.com/source/kernel/audit.c#L1889> spin_unlock_irq <http://lxr.free-electrons.com/ident?i=spin_unlock_irq>(&tsk <http://lxr.free-electrons.com/ident?i=tsk>->sighand->siglock);1890 <http://lxr.free-electrons.com/source/kernel/audit.c#L1890> 1891 <http://lxr.free-electrons.com/source/kernel/audit.c#L1891> audit_log_format <http://lxr.free-electrons.com/ident?i=audit_log_format>(ab,1892 <http://lxr.free-electrons.com/source/kernel/audit.c#L1892> *" ppid=%d pid=%d auid=%u uid=%u gid=%u"*1893 <http://lxr.free-electrons.com/source/kernel/audit.c#L1893> *" euid=%u suid=%u fsuid=%u"*1894 <http://lxr.free-electrons.com/source/kernel/audit.c#L1894> *" egid=%u sgid=%u fsgid=%u tty=%s ses=%u"*,1895 <http://lxr.free-electrons.com/source/kernel/audit.c#L1895> task_ppid_nr <http://lxr.free-electrons.com/ident?i=task_ppid_nr>(tsk <http://lxr.free-electrons.com/ident?i=tsk>),1896 <http://lxr.free-electrons.com/source/kernel/audit.c#L1896> task_pid_nr <http://lxr.free-electrons.com/ident?i=task_pid_nr>(tsk <http://lxr.free-electrons.com/ident?i=tsk>),1897 <http://lxr.free-electrons.com/source/kernel/audit.c#L1897> from_kuid <http://lxr.free-electrons.com/ident?i=from_kuid>(&init_user_ns <http://lxr.free-electrons.com/ident?i=init_user_ns>, audit_get_loginuid <http://lxr.free-electrons.com/ident?i=audit_get_loginuid>(tsk <http://lxr.free-electrons.com/ident?i=tsk>)),1898 <http://lxr.free-electrons.com/source/kernel/audit.c#L1898> from_kuid <http://lxr.free-electrons.com/ident?i=from_kuid>(&init_user_ns <http://lxr.free-electrons.com/ident?i=init_user_ns>, cred <http://lxr.free-electrons.com/ident?i=cred>->uid <http://lxr.free-electrons.com/ident?i=uid>),1899 <http://lxr.free-electrons.com/source/kernel/audit.c#L1899> from_kgid <http://lxr.free-electrons.com/ident?i=from_kgid>(&init_user_ns <http://lxr.free-electrons.com/ident?i=init_user_ns>, cred <http://lxr.free-electrons.com/ident?i=cred>->gid <http://lxr.free-electrons.com/ident?i=gid>),1900 <http://lxr.free-electrons.com/source/kernel/audit.c#L1900> from_kuid <http://lxr.free-electrons.com/ident?i=from_kuid>(&init_user_ns <http://lxr.free-electrons.com/ident?i=init_user_ns>, cred <http://lxr.free-electrons.com/ident?i=cred>->euid),1901 <http://lxr.free-electrons.com/source/kernel/audit.c#L1901> from_kuid <http://lxr.free-electrons.com/ident?i=from_kuid>(&init_user_ns <http://lxr.free-electrons.com/ident?i=init_user_ns>, cred <http://lxr.free-electrons.com/ident?i=cred>->suid),1902 <http://lxr.free-electrons.com/source/kernel/audit.c#L1902> from_kuid <http://lxr.free-electrons.com/ident?i=from_kuid>(&init_user_ns <http://lxr.free-electrons.com/ident?i=init_user_ns>, cred <http://lxr.free-electrons.com/ident?i=cred>->fsuid),1903 <http://lxr.free-electrons.com/source/kernel/audit.c#L1903> from_kgid <http://lxr.free-electrons.com/ident?i=from_kgid>(&init_user_ns <http://lxr.free-electrons.com/ident?i=init_user_ns>, cred <http://lxr.free-electrons.com/ident?i=cred>->egid),1904 <http://lxr.free-electrons.com/source/kernel/audit.c#L1904> from_kgid <http://lxr.free-electrons.com/ident?i=from_kgid>(&init_user_ns <http://lxr.free-electrons.com/ident?i=init_user_ns>, cred <http://lxr.free-electrons.com/ident?i=cred>->sgid),1905 <http://lxr.free-electrons.com/source/kernel/audit.c#L1905> from_kgid <http://lxr.free-electrons.com/ident?i=from_kgid>(&init_user_ns <http://lxr.free-electrons.com/ident?i=init_user_ns>, cred <http://lxr.free-electrons.com/ident?i=cred>->fsgid),1906 <http://lxr.free-electrons.com/source/kernel/audit.c#L1906> + tty <http://lxr.free-electrons.com/ident?i=tty>, audit_get_sessionid <http://lxr.free-electrons.com/ident?i=audit_get_sessionid>(tsk <http://lxr.free-electrons.com/ident?i=tsk>),*ApplicationID............); *1907 <http://lxr.free-electrons.com/source/kernel/audit.c#L1907> 1908 <http://lxr.free-electrons.com/source/kernel/audit.c#L1908> audit_log_format <http://lxr.free-electrons.com/ident?i=audit_log_format>*(ab, **" comm="**); *1909 <http://lxr.free-electrons.com/source/kernel/audit.c#L1909> audit_log_untrustedstring <http://lxr.free-electrons.com/ident?i=audit_log_untrustedstring>*(ab, *get_task_comm <http://lxr.free-electrons.com/ident?i=get_task_comm>*(*comm <http://lxr.free-electrons.com/ident?i=comm>*, *tsk <http://lxr.free-electrons.com/ident?i=tsk>*)); *1910 <http://lxr.free-electrons.com/source/kernel/audit.c#L1910> 1911 <http://lxr.free-electrons.com/source/kernel/audit.c#L1911> audit_log_d_path_exe <http://lxr.free-electrons.com/ident?i=audit_log_d_path_exe>*(ab, *tsk <http://lxr.free-electrons.com/ident?i=tsk>*->mm); *1912 <http://lxr.free-electrons.com/source/kernel/audit.c#L1912> audit_log_task_context <http://lxr.free-electrons.com/ident?i=audit_log_task_context>*(ab); *1913 <http://lxr.free-electrons.com/source/kernel/audit.c#L1913>* }* On Tue, Apr 26, 2016 at 6:07 AM, Richard Guy Briggs <rgb@redhat.com> wrote: > On 16/04/25, Deepika Sundar wrote: > > I wanted to add the namespace information in the audit record for example > > pid_ns,user_ns,net_ns ,Is there any possibility to add this field inside > > Audit structure? > > We've been looking at this issue for several years now and don't have an > obvious solution yet. There has been discussion on this list. It is on > the radar: > > https://bugzilla.redhat.com/show_bug.cgi?id=1045666 > > > > On Thu, Apr 21, 2016 at 6:28 PM, Paul Moore <pmoore@redhat.com> wrote: > > > As we've already mentioned several times, we can make no guarantees > > > regarding functionality or compatibility without seeing your code. > > > While it may be frustrating, this is how Open Source development > > > works. > > > > > > If you are interested in our help you will need to describe, in > > > detail, what you are trying to do and ideally post your existing code > > > so it can be reviewed. > > > > > > On Thu, Apr 21, 2016 at 1:25 AM, Deepika Sundar > > > <sundar.deepika18@gmail.com> wrote: > > > > Okay,If I update the Ausearch/aureport in order to aware of the new > > > field in > > > > the audit log structure can it be feasible one? > > > > > > > > On Wed, Apr 20, 2016 at 6:00 PM, Steve Grubb <sgrubb@redhat.com> > wrote: > > > >> > > > >> On Wednesday, April 20, 2016 10:05:42 AM Deepika Sundar wrote: > > > >> > In general way,Is there any compatibility issues if audit log > > > structure > > > >> > gets modified? > > > >> > > > >> Yes, there can be problems if the log structure gets modified. > > > >> Ausearch/report > > > >> are highly optimized for an exact format. > > > >> > > > >> -Steve > > > >> > > > >> > > > >> > On Wed, Apr 13, 2016 at 6:01 PM, Steve Grubb <sgrubb@redhat.com> > > > wrote: > > > >> > > On Wednesday, April 13, 2016 11:03:43 AM Deepika Sundar wrote: > > > >> > > > As per my understanding audit log structure can be extendible > > > based > > > >> > > > on > > > >> > > > requirements and in my project I need to add the identifier > field > > > >> > > > for > > > >> > > > the > > > >> > > > application and as of now I couldn't able to revel the What > > > >> > > > application > > > >> > > > trying to develop to update.So,Is there any possibility that > > > without > > > >> > > > breaking any Compatibility issues I can do it ? > > > >> > > > > > >> > > I have no idea what you are doing so there is no guarantee that > it > > > >> > > won't > > > >> > > break > > > >> > > something. If your project is going to be released as open > source > > > its > > > >> > > generally best to collaborate with people so that problems can > be > > > >> > > pointed > > > >> > > out. > > > >> > > Otherwise you risk spending a lot of time on something only to > have > > > it > > > >> > > rejected. > > > >> > > > > > >> > > -Steve > > > >> > > > > > >> > > > OR If any compatibility issues please specify . > > > >> > > > > > > >> > > > On Fri, Apr 8, 2016 at 12:12 AM, Paul Moore < > paul@paul-moore.com> > > > >> > > > wrote: > > > >> > > > > On Thu, Apr 7, 2016 at 12:47 AM, Deepika Sundar > > > >> > > > > > > > >> > > > > <sundar.deepika18@gmail.com> wrote: > > > >> > > > > > In the same way, in the kernel side > > > >> > > > > > Can I able to add one new field to the audit log structure > > > >> > > > > > without > > > >> > > > > > > > >> > > > > breaking > > > >> > > > > > > > >> > > > > > Compatibility? If so, > > > >> > > > > > > > > >> > > > > > 1.How can I add new field without breaking > compatibility? > > > >> > > > > > > > > >> > > > > > or > > > >> > > > > > > > > >> > > > > > 2.Is there any reserve field in audit log structure so > that > > > I > > > >> > > > > > can > > > >> > > > > > >> > > make > > > >> > > > > > >> > > > > use > > > >> > > > > > > > >> > > > > > of it? > > > >> > > > > > > > >> > > > > You need to be more specific about what you are trying to > do. > > > >> > > > > Speaking generally, unless you work to get your changed > merged > > > >> > > > > into > > > >> > > > > the upstream kernel and userspace tools we cannot guarantee > > > >> > > > > present or > > > >> > > > > future compatibility. > > > >> > > > > > > > >> > > > > -- > > > >> > > > > paul moore > > > >> > > > > www.paul-moore.com > > > >> > > > > > > > > > > > > -- > > > > Linux-audit mailing list > > > > Linux-audit@redhat.com > > > > https://www.redhat.com/mailman/listinfo/linux-audit > > > > > > > > > > > > -- > > > paul moore > > > security @ redhat > > > > > > -- > > Linux-audit mailing list > > Linux-audit@redhat.com > > https://www.redhat.com/mailman/listinfo/linux-audit > > > - RGB > > -- > Richard Guy Briggs <rgb@redhat.com> > Kernel Security Engineering, Base Operating Systems, Red Hat > Remote, Ottawa, Canada > Voice: +1.647.777.2635, Internal: (81) 32635 > [-- Attachment #1.2: Type: text/html, Size: 35218 bytes --] [-- Attachment #2: Type: text/plain, Size: 0 bytes --] ^ permalink raw reply [flat|nested] 16+ messages in thread
* Re: New field to auditd.conf file 2016-04-28 5:59 ` Deepika Sundar @ 2016-04-29 2:47 ` Richard Guy Briggs 0 siblings, 0 replies; 16+ messages in thread From: Richard Guy Briggs @ 2016-04-29 2:47 UTC (permalink / raw) To: Deepika Sundar; +Cc: linux-audit On 16/04/28, Deepika Sundar wrote: > Thank you for all replies and Sorry, I am new to this audit subsystem field. > > I am facing the problem in the initial stage itself that,Where to add the > new field in the source code, as per my work understanding in the below > code,Is it possible to fine tune by adding new field say,*"APPLICATION ID" *in > that structure. > > If not possible, What is the impact ? *OR* > Is it possible to add a new member without any impact? > Please Suggest me with some IDEA where new field in audit structure can be > added and It should not break compatibility.Provide Documentation where I > can refer to do. > Once I am clear with the method I can Share the code to review. There is a list of technical resources at: http://people.redhat.com/sgrubb/audit/ with a section on "Specs". In particular, please see: http://people.redhat.com/sgrubb/audit/audit-events.txt http://people.redhat.com/sgrubb/audit/audit-parse.txt I don't understand what this is below... > Kernel/audit.c > > void audit_log_task_info > <http://lxr.free-electrons.com/ident?i=audit_log_task_info>(struct > audit_buffer <http://lxr.free-electrons.com/ident?i=audit_buffer> *ab, > struct task_struct <http://lxr.free-electrons.com/ident?i=task_struct> > *tsk <http://lxr.free-electrons.com/ident?i=tsk>) > > 1873 <http://lxr.free-electrons.com/source/kernel/audit.c#L1873> {1874 > <http://lxr.free-electrons.com/source/kernel/audit.c#L1874> > const struct cred <http://lxr.free-electrons.com/ident?i=cred> *cred > <http://lxr.free-electrons.com/ident?i=cred>;1875 > <http://lxr.free-electrons.com/source/kernel/audit.c#L1875> > char comm <http://lxr.free-electrons.com/ident?i=comm>[sizeof(tsk > <http://lxr.free-electrons.com/ident?i=tsk>->comm > <http://lxr.free-electrons.com/ident?i=comm>)];1876 > <http://lxr.free-electrons.com/source/kernel/audit.c#L1876> > char *tty <http://lxr.free-electrons.com/ident?i=tty>;1877 > <http://lxr.free-electrons.com/source/kernel/audit.c#L1877> 1878 > <http://lxr.free-electrons.com/source/kernel/audit.c#L1878> if > (!ab)1879 <http://lxr.free-electrons.com/source/kernel/audit.c#L1879> > return;1880 > <http://lxr.free-electrons.com/source/kernel/audit.c#L1880> 1881 > <http://lxr.free-electrons.com/source/kernel/audit.c#L1881> > */* tsk == current */*1882 > <http://lxr.free-electrons.com/source/kernel/audit.c#L1882> > cred <http://lxr.free-electrons.com/ident?i=cred> = current_cred > <http://lxr.free-electrons.com/ident?i=current_cred>();1883 > <http://lxr.free-electrons.com/source/kernel/audit.c#L1883> 1884 > <http://lxr.free-electrons.com/source/kernel/audit.c#L1884> > spin_lock_irq <http://lxr.free-electrons.com/ident?i=spin_lock_irq>(&tsk > <http://lxr.free-electrons.com/ident?i=tsk>->sighand->siglock);1885 > <http://lxr.free-electrons.com/source/kernel/audit.c#L1885> if > (tsk <http://lxr.free-electrons.com/ident?i=tsk>->signal && tsk > <http://lxr.free-electrons.com/ident?i=tsk>->signal->tty > <http://lxr.free-electrons.com/ident?i=tty> && tsk > <http://lxr.free-electrons.com/ident?i=tsk>->signal->tty > <http://lxr.free-electrons.com/ident?i=tty>->name > <http://lxr.free-electrons.com/ident?i=name>)1886 > <http://lxr.free-electrons.com/source/kernel/audit.c#L1886> > tty <http://lxr.free-electrons.com/ident?i=tty> = tsk > <http://lxr.free-electrons.com/ident?i=tsk>->signal->tty > <http://lxr.free-electrons.com/ident?i=tty>->name > <http://lxr.free-electrons.com/ident?i=name>;1887 > <http://lxr.free-electrons.com/source/kernel/audit.c#L1887> > else1888 <http://lxr.free-electrons.com/source/kernel/audit.c#L1888> > tty <http://lxr.free-electrons.com/ident?i=tty> = > *"(none)"*;1889 > <http://lxr.free-electrons.com/source/kernel/audit.c#L1889> > spin_unlock_irq > <http://lxr.free-electrons.com/ident?i=spin_unlock_irq>(&tsk > <http://lxr.free-electrons.com/ident?i=tsk>->sighand->siglock);1890 > <http://lxr.free-electrons.com/source/kernel/audit.c#L1890> 1891 > <http://lxr.free-electrons.com/source/kernel/audit.c#L1891> > audit_log_format > <http://lxr.free-electrons.com/ident?i=audit_log_format>(ab,1892 > <http://lxr.free-electrons.com/source/kernel/audit.c#L1892> > *" ppid=%d pid=%d auid=%u uid=%u gid=%u"*1893 > <http://lxr.free-electrons.com/source/kernel/audit.c#L1893> > *" euid=%u suid=%u fsuid=%u"*1894 > <http://lxr.free-electrons.com/source/kernel/audit.c#L1894> > *" egid=%u sgid=%u fsgid=%u tty=%s ses=%u"*,1895 > <http://lxr.free-electrons.com/source/kernel/audit.c#L1895> > task_ppid_nr > <http://lxr.free-electrons.com/ident?i=task_ppid_nr>(tsk > <http://lxr.free-electrons.com/ident?i=tsk>),1896 > <http://lxr.free-electrons.com/source/kernel/audit.c#L1896> > task_pid_nr > <http://lxr.free-electrons.com/ident?i=task_pid_nr>(tsk > <http://lxr.free-electrons.com/ident?i=tsk>),1897 > <http://lxr.free-electrons.com/source/kernel/audit.c#L1897> > from_kuid > <http://lxr.free-electrons.com/ident?i=from_kuid>(&init_user_ns > <http://lxr.free-electrons.com/ident?i=init_user_ns>, > audit_get_loginuid > <http://lxr.free-electrons.com/ident?i=audit_get_loginuid>(tsk > <http://lxr.free-electrons.com/ident?i=tsk>)),1898 > <http://lxr.free-electrons.com/source/kernel/audit.c#L1898> > from_kuid > <http://lxr.free-electrons.com/ident?i=from_kuid>(&init_user_ns > <http://lxr.free-electrons.com/ident?i=init_user_ns>, cred > <http://lxr.free-electrons.com/ident?i=cred>->uid > <http://lxr.free-electrons.com/ident?i=uid>),1899 > <http://lxr.free-electrons.com/source/kernel/audit.c#L1899> > from_kgid > <http://lxr.free-electrons.com/ident?i=from_kgid>(&init_user_ns > <http://lxr.free-electrons.com/ident?i=init_user_ns>, cred > <http://lxr.free-electrons.com/ident?i=cred>->gid > <http://lxr.free-electrons.com/ident?i=gid>),1900 > <http://lxr.free-electrons.com/source/kernel/audit.c#L1900> > from_kuid > <http://lxr.free-electrons.com/ident?i=from_kuid>(&init_user_ns > <http://lxr.free-electrons.com/ident?i=init_user_ns>, cred > <http://lxr.free-electrons.com/ident?i=cred>->euid),1901 > <http://lxr.free-electrons.com/source/kernel/audit.c#L1901> > from_kuid > <http://lxr.free-electrons.com/ident?i=from_kuid>(&init_user_ns > <http://lxr.free-electrons.com/ident?i=init_user_ns>, cred > <http://lxr.free-electrons.com/ident?i=cred>->suid),1902 > <http://lxr.free-electrons.com/source/kernel/audit.c#L1902> > from_kuid > <http://lxr.free-electrons.com/ident?i=from_kuid>(&init_user_ns > <http://lxr.free-electrons.com/ident?i=init_user_ns>, cred > <http://lxr.free-electrons.com/ident?i=cred>->fsuid),1903 > <http://lxr.free-electrons.com/source/kernel/audit.c#L1903> > from_kgid > <http://lxr.free-electrons.com/ident?i=from_kgid>(&init_user_ns > <http://lxr.free-electrons.com/ident?i=init_user_ns>, cred > <http://lxr.free-electrons.com/ident?i=cred>->egid),1904 > <http://lxr.free-electrons.com/source/kernel/audit.c#L1904> > from_kgid > <http://lxr.free-electrons.com/ident?i=from_kgid>(&init_user_ns > <http://lxr.free-electrons.com/ident?i=init_user_ns>, cred > <http://lxr.free-electrons.com/ident?i=cred>->sgid),1905 > <http://lxr.free-electrons.com/source/kernel/audit.c#L1905> > from_kgid > <http://lxr.free-electrons.com/ident?i=from_kgid>(&init_user_ns > <http://lxr.free-electrons.com/ident?i=init_user_ns>, cred > <http://lxr.free-electrons.com/ident?i=cred>->fsgid),1906 > <http://lxr.free-electrons.com/source/kernel/audit.c#L1906> + > tty <http://lxr.free-electrons.com/ident?i=tty>, > audit_get_sessionid > <http://lxr.free-electrons.com/ident?i=audit_get_sessionid>(tsk > <http://lxr.free-electrons.com/ident?i=tsk>),*ApplicationID............); > *1907 <http://lxr.free-electrons.com/source/kernel/audit.c#L1907> 1908 > <http://lxr.free-electrons.com/source/kernel/audit.c#L1908> > audit_log_format > <http://lxr.free-electrons.com/ident?i=audit_log_format>*(ab, **" > comm="**); > *1909 <http://lxr.free-electrons.com/source/kernel/audit.c#L1909> > audit_log_untrustedstring > <http://lxr.free-electrons.com/ident?i=audit_log_untrustedstring>*(ab, > *get_task_comm <http://lxr.free-electrons.com/ident?i=get_task_comm>*(*comm > <http://lxr.free-electrons.com/ident?i=comm>*, *tsk > <http://lxr.free-electrons.com/ident?i=tsk>*)); > *1910 <http://lxr.free-electrons.com/source/kernel/audit.c#L1910> 1911 > <http://lxr.free-electrons.com/source/kernel/audit.c#L1911> > audit_log_d_path_exe > <http://lxr.free-electrons.com/ident?i=audit_log_d_path_exe>*(ab, *tsk > <http://lxr.free-electrons.com/ident?i=tsk>*->mm); > *1912 <http://lxr.free-electrons.com/source/kernel/audit.c#L1912> > audit_log_task_context > <http://lxr.free-electrons.com/ident?i=audit_log_task_context>*(ab); > *1913 <http://lxr.free-electrons.com/source/kernel/audit.c#L1913>* }* > > > > > > On Tue, Apr 26, 2016 at 6:07 AM, Richard Guy Briggs <rgb@redhat.com> wrote: > > On 16/04/25, Deepika Sundar wrote: > > > I wanted to add the namespace information in the audit record for example > > > pid_ns,user_ns,net_ns ,Is there any possibility to add this field inside > > > Audit structure? > > > > We've been looking at this issue for several years now and don't have an > > obvious solution yet. There has been discussion on this list. It is on > > the radar: > > > > https://bugzilla.redhat.com/show_bug.cgi?id=1045666 > > > > > > > On Thu, Apr 21, 2016 at 6:28 PM, Paul Moore <pmoore@redhat.com> wrote: > > > > As we've already mentioned several times, we can make no guarantees > > > > regarding functionality or compatibility without seeing your code. > > > > While it may be frustrating, this is how Open Source development > > > > works. > > > > > > > > If you are interested in our help you will need to describe, in > > > > detail, what you are trying to do and ideally post your existing code > > > > so it can be reviewed. > > > > > > > > On Thu, Apr 21, 2016 at 1:25 AM, Deepika Sundar > > > > <sundar.deepika18@gmail.com> wrote: > > > > > Okay,If I update the Ausearch/aureport in order to aware of the new > > > > field in > > > > > the audit log structure can it be feasible one? > > > > > > > > > > On Wed, Apr 20, 2016 at 6:00 PM, Steve Grubb <sgrubb@redhat.com> > > wrote: > > > > >> > > > > >> On Wednesday, April 20, 2016 10:05:42 AM Deepika Sundar wrote: > > > > >> > In general way,Is there any compatibility issues if audit log > > > > structure > > > > >> > gets modified? > > > > >> > > > > >> Yes, there can be problems if the log structure gets modified. > > > > >> Ausearch/report > > > > >> are highly optimized for an exact format. > > > > >> > > > > >> -Steve > > > > >> > > > > >> > > > > >> > On Wed, Apr 13, 2016 at 6:01 PM, Steve Grubb <sgrubb@redhat.com> > > > > wrote: > > > > >> > > On Wednesday, April 13, 2016 11:03:43 AM Deepika Sundar wrote: > > > > >> > > > As per my understanding audit log structure can be extendible > > > > based > > > > >> > > > on > > > > >> > > > requirements and in my project I need to add the identifier > > field > > > > >> > > > for > > > > >> > > > the > > > > >> > > > application and as of now I couldn't able to revel the What > > > > >> > > > application > > > > >> > > > trying to develop to update.So,Is there any possibility that > > > > without > > > > >> > > > breaking any Compatibility issues I can do it ? > > > > >> > > > > > > >> > > I have no idea what you are doing so there is no guarantee that > > it > > > > >> > > won't > > > > >> > > break > > > > >> > > something. If your project is going to be released as open > > source > > > > its > > > > >> > > generally best to collaborate with people so that problems can > > be > > > > >> > > pointed > > > > >> > > out. > > > > >> > > Otherwise you risk spending a lot of time on something only to > > have > > > > it > > > > >> > > rejected. > > > > >> > > > > > > >> > > -Steve > > > > >> > > > > > > >> > > > OR If any compatibility issues please specify . > > > > >> > > > > > > > >> > > > On Fri, Apr 8, 2016 at 12:12 AM, Paul Moore < > > paul@paul-moore.com> > > > > >> > > > wrote: > > > > >> > > > > On Thu, Apr 7, 2016 at 12:47 AM, Deepika Sundar > > > > >> > > > > > > > > >> > > > > <sundar.deepika18@gmail.com> wrote: > > > > >> > > > > > In the same way, in the kernel side > > > > >> > > > > > Can I able to add one new field to the audit log structure > > > > >> > > > > > without > > > > >> > > > > > > > > >> > > > > breaking > > > > >> > > > > > > > > >> > > > > > Compatibility? If so, > > > > >> > > > > > > > > > >> > > > > > 1.How can I add new field without breaking > > compatibility? > > > > >> > > > > > > > > > >> > > > > > or > > > > >> > > > > > > > > > >> > > > > > 2.Is there any reserve field in audit log structure so > > that > > > > I > > > > >> > > > > > can > > > > >> > > > > > > >> > > make > > > > >> > > > > > > >> > > > > use > > > > >> > > > > > > > > >> > > > > > of it? > > > > >> > > > > > > > > >> > > > > You need to be more specific about what you are trying to > > do. > > > > >> > > > > Speaking generally, unless you work to get your changed > > merged > > > > >> > > > > into > > > > >> > > > > the upstream kernel and userspace tools we cannot guarantee > > > > >> > > > > present or > > > > >> > > > > future compatibility. > > > > >> > > > > > > > > >> > > > > www.paul-moore.com > > > > > > > > paul moore > > > > - RGB - RGB -- Richard Guy Briggs <rgb@redhat.com> Kernel Security Engineering, Base Operating Systems, Red Hat Remote, Ottawa, Canada Voice: +1.647.777.2635, Internal: (81) 32635 ^ permalink raw reply [flat|nested] 16+ messages in thread
end of thread, other threads:[~2016-04-29 2:47 UTC | newest] Thread overview: 16+ messages (download: mbox.gz / follow: Atom feed) -- links below jump to the message on this page -- 2016-04-06 11:36 New field to auditd.conf file Deepika Sundar 2016-04-06 11:50 ` Steve Grubb 2016-04-06 11:55 ` Deepika Sundar 2016-04-06 12:17 ` Steve Grubb 2016-04-07 4:47 ` Deepika Sundar 2016-04-07 18:42 ` Paul Moore 2016-04-13 5:33 ` Deepika Sundar 2016-04-13 12:31 ` Steve Grubb 2016-04-20 4:35 ` Deepika Sundar 2016-04-20 12:30 ` Steve Grubb 2016-04-21 5:25 ` Deepika Sundar 2016-04-21 12:58 ` Paul Moore 2016-04-25 6:56 ` Deepika Sundar 2016-04-26 0:37 ` Richard Guy Briggs 2016-04-28 5:59 ` Deepika Sundar 2016-04-29 2:47 ` Richard Guy Briggs
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.