On Thu, Aug 24, 2023 at 9:21 AM Tetsuo Handa
[off-list ref] wrote:

On 2023/08/23 23:48, Paul Moore wrote:

quoted

We've already discussed this both from a kernel load perspective (it
should be able to handle the load, if not that is a separate problem
to address) as well as the human perspective (if you want auditing,
you need to be able to handle auditing).

No. You haven't shown us audit rules that can satisfy requirements shown below.

  (1) Catch _all_ process creations (both via fork()/clone() system calls and
      kthread_create() from the kernel), and duplicate the history upon process
      creation.

Create an audit filter rule to record the syscalls you are interested
in logging.

  (2) Catch _all_ execve(), and update the history upon successful execve().

Create an audit filter rule to record the syscalls you are interested
in logging.

  (3) Catch _all_ process terminations (both exit()/exit_group()/kill() system
      calls and internal reasons such as OOM killer), and erase the history upon
      process termination.

Create an audit filter rule to record the events you are interested in
logging, if there is an event which isn't being recorded feel free to
submit a patch to generate an audit record.

-- 
paul-moore.com