lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Message-Id: <cover.1518411444.git.rgb@redhat.com>
Date:   Mon, 12 Feb 2018 00:02:20 -0500
From:   Richard Guy Briggs <rgb@...hat.com>
To:     Linux-Audit Mailing List <linux-audit@...hat.com>,
        LKML <linux-kernel@...r.kernel.org>
Cc:     Paul Moore <paul@...l-moore.com>, Eric Paris <eparis@...hat.com>,
        Steve Grubb <sgrubb@...hat.com>,
        Richard Guy Briggs <rgb@...hat.com>
Subject: [PATCH ghak8 ALT4 V4 0/3] audit: show more information for entries with anonymous parents

More than one filesystem was causing hundreds to thousands of null PATH
records to be associated with the *init_module SYSCALL records on a few
modules with corresponding audit syscall rules.

This patchset adds extra information to those PATH records to provide
insight into what is generating them, including a partial pathname,
fstype field, and two new filetypes that indicate the pathname isn't
anchored at the root of the task's root filesystem.

Richard Guy Briggs (3):
  audit: show partial pathname for entries with anonymous parents
  audit: append new fstype field for anonymous PATH records
  audit: add new filetypes CREATE_ANON and PARENT_ANON

 include/linux/audit.h | 10 ++++++----
 kernel/audit.c        | 41 ++++++++++++++++++++++++++++++++++++++++-
 kernel/audit.h        |  1 +
 kernel/auditsc.c      | 12 ++++++++++--
 4 files changed, 57 insertions(+), 7 deletions(-)

-- 
1.8.3.1

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ