| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <CAHC9VhQYUooJbZ9tcOOwb=48LTjtnfo0g11vQuyLzoxdetaxnw@mail.gmail.com>
Date: Tue, 19 May 2020 15:18:23 -0400
From: Paul Moore <paul@...l-moore.com>
To: Richard Guy Briggs <rgb@...hat.com>
Cc: Linux-Audit Mailing List <linux-audit@...hat.com>,
LKML <linux-kernel@...r.kernel.org>,
netfilter-devel@...r.kernel.org, sgrubb@...hat.com,
Ondrej Mosnacek <omosnace@...hat.com>, fw@...len.de,
twoerner@...hat.com, Eric Paris <eparis@...isplace.org>,
tgraf@...radead.org
Subject: Re: [PATCH ghak25 v5] audit: add subj creds to NETFILTER_CFG record
to cover async unregister
On Tue, May 19, 2020 at 11:31 AM Richard Guy Briggs <rgb@...hat.com> wrote:
>
> Some table unregister actions seem to be initiated by the kernel to
> garbage collect unused tables that are not initiated by any userspace
> actions. It was found to be necessary to add the subject credentials to
> cover this case to reveal the source of these actions. A sample record:
>
> The tty, ses and exe fields have not been included since they are in the
> SYSCALL record and contain nothing useful in the non-user context.
>
> type=NETFILTER_CFG msg=audit(2020-03-11 21:25:21.491:269) : table=nat family=bridge entries=0 op=unregister pid=153 uid=root auid=unset subj=system_u:system_r:kernel_t:s0 comm=kworker/u4:2
Based on where things were left in the discussion on the previous
draft, I think it would be good if you could explain a bit why the uid
and auid fields are useful here.
--
paul moore
www.paul-moore.com
Powered by blists - more mailing lists