Paul Moore
Paul Moore
Hook the audit system into the Linux Kernel's device layer to capture and record device attach and detach events, also hook significant upper layers to capture notable metadata about the...
For the *at syscalls, can we get the path from the FD being passed as an argument to be able to reconstruct what is being accessed? (Readlink in /proc/\/fds/# shows...
On occasion SELinux AVC denials are dropped by the audit subsystem during early boot without any warnings about dropped audit records. This was reported as an issue with Android kernels...
The lack of namespace identifiers in audit records can make interpreting audit records difficult in some configurations. Pay special attention to the fact that this issue is about _namespace_ identifiers...
CONFIG_AUDIT_ARCH_COMPAT_GENERIC is found in lib/Kconfig with the following entry: config AUDIT_ARCH_COMPAT_GENERIC bool default n ... and I can't seem to find any references under lib/; I suspect this is an...
From commit 7f49294282c49ef426ed05eb4959728524ba140c: ``` At the moment the audit watch code is a lot more complex. That code only creates one fsnotify watch per parent directory. That 'audit_parent' in turn...
We should improve/fix the seccomp logging such that we can accomplish the following two things: - Enable/disable logging based on the seccomp action. One idea is to set a sysctl...
From an email with @rgbriggs: > We have 3 file_* tests in the test suite. There are 6 operations that > need testing. There are tests required when the file...
We should create a test to ensure that audit records are written to the kernel ring buffer when the audit daemon is not connected and the hold buffer starts to...
Test the ability to filter events based on PID and PPID.