linux-audit
RFE: add a method to filter audit events based on audit container identifier
Add a method to filter audit events based on audit container identifier.
Add a u64 field AUDIT_CONTID to be able to specify an audit container identifier to be used to filter audit events.
Depends: https://github.com/linux-audit/audit-kernel/issues/90 Depends: https://github.com/linux-audit/audit-userspace/issues/40 See: https://github.com/linux-audit/audit-kernel/wiki/RFE-Audit-Container-ID
Posted v3 kernel patchset upstream: https://www.redhat.com/archives/linux-audit/2018-June/msg00048.html https://lkml.org/lkml/2018/6/6/609
posted v4 kernel patchset upstream: https://www.redhat.com/archives/linux-audit/2018-July/msg00178.html https://lkml.org/lkml/2018/7/31/855
2019-09-18: post v7: https://www.redhat.com/archives/linux-audit/2019-September/msg00016.html https://lkml.org/lkml/2019/9/18/1112
V8 post: https://lkml.org/lkml/2019/12/31/229 https://lore.kernel.org/lkml/[email protected]/T/#t https://www.redhat.com/archives/linux-audit/2019-December/msg00049.html latest testsuite pr: https://githu.com/linux-audit/audit-testsuite/pull/91 The code is also posted at: git://toccata2.tricolour.ca/linux-2.6-rgb.git ghak90-audit-containerID.v8
Post v9 kernel: https://www.redhat.com/archives/linux-audit/2020-June/msg00108.html https://lkml.org/lkml/2020/6/27/205
Post v9 userspace: https://www.redhat.com/archives/linux-audit/2020-June/msg00122.html
2020-12-21 post v10 kernel https://www.redhat.com/archives/linux-audit/2020-December/msg00047.html https://lkml.org/lkml/2020/12/21/338 post v10 user https://www.redhat.com/archives/linux-audit/2020-December/msg00059.html https://lkml.org/lkml/2020/12/21/361 This was quickly addressed by the upstream kernel audit maintainer that ACKs on the first patch were questionable, which I acknowledged as being out of date triggering another version.
post v11 kernel https://www.redhat.com/archives/linux-audit/2021-January/msg00007.html https://lkml.org/lkml/2021/1/12/818
