audit-kernel

audit-kernel copied to clipboard

RFE: support filtering by openat2(2) oflags

2

For open(2) and openat(2) one can filter by the flags used (e.g. `O_CREAT`): ``` -a always,exit -F -S openat,open_by_handle_at -F a2&0100 -F key=creation -a always,exit -F -S open -F a1&0100...

cgzones

BUG: PATH record contains (null) for file descriptor operation

2

System: Debian sid Kernel: `Linux hostname 5.19.0-1-amd64 #1 SMP PREEMPT_DYNAMIC Debian 5.19.6-1 (2022-09-01) x86_64 GNU/Linux` Auditd: 3.0.9 Triggering a SELinux denial on a file descriptor operation (e.g. fchmod(2)) creates an...

cgzones

BUG: rules with 'exit' filter do not generate any audit events

15

Hello folks, long time no see :). on Fedora I am trying to catch syscalls with a specific exit value (EACCES=-13) by the following rule: ``` # auditctl -a always,exit...

The-Mule

RFE: provide a mechanism to shut down auditd with auid accountability via systemd

1

RFE: Create mechanism for "systemctl stop auditd" to audit the identity of the user issuing the command. Currently, auditd is one of the few remaining users of the sysvinit package...

rgbriggs

BUG: incorrect PARENT path when removing a folder with files

8

Hi, While I was working around AuditD, I encountered an interesting bug when removing a folder the files within the folder are reported with the incorrect `PARENT` `name` property. **Repro:**...

Davack

RFE: Improve supported feature reporting

1

I was thinking about the problematic situation with the current feature bitmap approach and I think I came up with a viable long-term solution. ### High-level description My idea is...

WOnder93

RFE: is it necessary for kernel reply to auditd with block mode in function netlink_unicast when auditd service is stopping

3

When the auditd service is stopped，it will call audit_set_pid(fd, 0, WAIT_NO) and do not process reply messages int audit_set_pid(int fd, uint32_t pid, rep_wait_t wmode) { struct audit_status s; struct audit_reply...

e06620227

BUG: ILP32 (ARM's take on x32) is not audited properly

18

I use ILP32 program on 5.10 kernel Recently, and I find that I can't recored log in some case, here is a example: I set one rule on the system:...

weiyuchen

BUG: kernel header updates needed for 'auditctl -F perm' usage

7

The files at include/asm-generic/audit_*.h have syscalls used to trigger watches for various syscalls without having to know the exact syscall. It appears that the the last time it was updated...

stevegrubb

RFE: UUID For Parent/Child PID's

12

# Universally Unique Identifier for PIDS and child PIDS Hello, hopefully I can dictate my issue I'm running into with Auditd. If there is a solution to this that I'm...

aconite33