From: Steve Grubb <sgrubb@redhat.com>
To: Tetsuo Handa <penguin-kernel@i-love.sakura.ne.jp>,
linux-audit@redhat.com
Cc: audit@vger.kernel.org,
linux-security-module <linux-security-module@vger.kernel.org>,
linux-audit@redhat.com
Subject: Re: [PATCH v2] TaskTracker : Simplified thread information tracker.
Date: Mon, 07 Aug 2023 15:03:22 -0400 [thread overview]
Message-ID: <2155117.irdbgypaU6@x2> (raw)
In-Reply-To: <CAHC9VhSsDTyfae6f0XvYYcCRH590L1ZEqbHSM4UgUCHRGm7X_g@mail.gmail.com>
On Monday, August 7, 2023 2:53:40 PM EDT Paul Moore wrote:
> On Sun, Aug 6, 2023 at 9:05 AM Tetsuo Handa
>
> <penguin-kernel@i-love.sakura.ne.jp> wrote:
> > When an unexpected system event occurs, the administrator may want to
> > identify which application triggered the event. For example, unexpected
> > process termination is still a real concern enough to write articles
> > like https://access.redhat.com/solutions/165993 . TaskTracker is a
> > trivial LSM module which emits TOMOYO-like information into the audit
> > logs for better understanding of unexpected system events.
>
> Help me understand why all of this information isn't already available
> via some combination of Audit and TOMOYO, or simply audit itself?
Usually when you want this kind of information, you are investigating an
incident. You wouldn't place a syscall audit for every execve and then
reconstruct the call chain from that. In the case of long running daemons,
the information could have been rotated away. But typically you want to see
what the entry point is. A sudden shell from bind would be suspicious while a
shell from sshd is not.
-Steve
> In the case of an audit-only design you would likely need to do some
> processing of the audit log to determine the full historical process
> tree of the process being killed, but all of the information should be
> there if you configure audit properly. I'm less familiar with TOMOYO,
> but your comment about this LSM recording "TOMOYO-like" information
> makes me believe that TOMOYO already records this information.
--
Linux-audit mailing list
Linux-audit@redhat.com
https://listman.redhat.com/mailman/listinfo/linux-audit
next prev parent reply other threads:[~2023-08-07 19:03 UTC|newest]
Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-08-06 13:04 [PATCH v2] TaskTracker : Simplified thread information tracker Tetsuo Handa
2023-08-06 22:01 ` Steve Grubb
2023-08-07 14:24 ` Tetsuo Handa
2023-08-07 17:25 ` Casey Schaufler
2023-08-07 18:54 ` Steve Grubb
2023-08-08 10:25 ` Tetsuo Handa
2023-08-07 18:53 ` Paul Moore
2023-08-07 19:03 ` Steve Grubb [this message]
2023-08-07 20:13 ` Paul Moore
2023-08-08 10:07 ` Tetsuo Handa
2023-08-08 14:38 ` Paul Moore
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=2155117.irdbgypaU6@x2 \
--to=sgrubb@redhat.com \
--cc=audit@vger.kernel.org \
--cc=linux-audit@redhat.com \
--cc=linux-security-module@vger.kernel.org \
--cc=penguin-kernel@i-love.sakura.ne.jp \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).