audit-userspace RFE: support audit container ID filtering

Add userspace audit tool support for the features introduced by kernel audit container ID support.

filtering on container ID
ausearch support

See: https://github.com/linux-audit/audit-kernel/issues/91 See: https://github.com/linux-audit/audit-kernel/wiki/RFE-Audit-Container-ID

Feb 26 '18 11:02 rgbriggs

Posted RFC v1 userspace patch for auditctl containerid filter support: https://www.redhat.com/archives/linux-audit/2018-March/msg00030.html https://lkml.org/lkml/2018/3/5/82

Mar 05 '18 08:03 rgbriggs

Posted v2 userspace patchset upstream: https://www.redhat.com/archives/linux-audit/2018-March/msg00124.html https://lkml.org/lkml/2018/3/16/210

Mar 16 '18 09:03 rgbriggs

Posted v3 patchset upstream: https://www.redhat.com/archives/linux-audit/2018-June/msg00059.html https://lkml.org/lkml/2018/6/6/626

Jun 06 '18 17:06 rgbriggs

Posted v4 patchset upstream: https://www.redhat.com/archives/linux-audit/2018-July/msg00189.html https://lkml.org/lkml/2018/7/31/862

Jul 31 '18 20:07 rgbriggs

Posted v5: https://www.redhat.com/archives/linux-audit/2019-March/msg00036.html https://lkml.org/lkml/2019/3/15/544

Mar 16 '19 12:03 rgbriggs

post v6: https://www.redhat.com/archives/linux-audit/2019-April/msg00062.html https://lkml.org/lkml/2019/4/9/774

Apr 09 '19 19:04 rgbriggs

Test case v1 PR: https://github.com/linux-audit/audit-testsuite/pull/83

Apr 10 '19 21:04 rgbriggs

2019-09-18: post v7: https://www.redhat.com/archives/linux-audit/2019-September/msg00038.html https://lkml.org/lkml/2019/9/18/1138 https://github.com/linux-audit/audit-userspace/compare/master...rgbriggs:ghau40-containerid-filter.v7.0 http://people.redhat.com/~rbriggs/ghak90/git-247fe71

Sep 19 '19 18:09 rgbriggs

post v8 https://lkml.org/lkml/2019/12/31/244 https://lore.kernel.org/lkml/[email protected]/T/#t https://www.redhat.com/archives/linux-audit/2019-December/msg00066.html latest testsuite pr: https://githu.com/linux-audit/audit-testsuite/pull/91 A repo of the code is here: [email protected]:rgbriggs/audit-userspace.git ghau40-containerid-filter.v8 And test rpms built from it are here: people.redhat.com/~rbriggs/ghak90/git-47ad4ca

Dec 31 '19 21:12 rgbriggs

Post v9 kernel: https://www.redhat.com/archives/linux-audit/2020-June/msg00108.html https://lkml.org/lkml/2020/6/27/205

Post v9 userspace: https://www.redhat.com/archives/linux-audit/2020-June/msg00122.html

Jun 27 '20 15:06 rgbriggs

did this make it into a particular kernel/audit-userspace release?

i'm very interested in this, especially if it allows filtering at the rule level.

Jun 19 '21 15:06 khimaros

No. The work is still ongoing.

Jun 20 '21 17:06 stevegrubb

Closing this out. A tracker for this is not needed. When a patch is available, just do a pull request.

Jul 25 '23 19:07 stevegrubb