RFE: support audit container ID filtering #40
Assignees
Labels
Comments
rgbriggs
changed the title
|
Posted RFC v1 userspace patch for auditctl containerid filter support: |
|
Posted v2 userspace patchset upstream: |
|
Posted v3 patchset upstream: |
|
Posted v4 patchset upstream: |
|
Test case v1 PR: linux-audit/audit-testsuite#83 |
rgbriggs
added a commit
to rgbriggs/audit-userspace
that referenced
this issue
May 28, 2019
A u64 container identifier has been added to the kernel view of tasks. This allows container orchestrators to label tasks with a unique tamperproof identifier that gets inherited by its children to be able to track the provenance of actions by a container. Add support to libaudit and auditctl for the AUDIT_CONTID field to filter based on audit container identifier. This field is specified with the "contid" field name on the command line. Since it is a u64 and larger than any other numeric field, send it as a string but do the appropriate conversions on each end in each direction. See: linux-audit#40 See: linux-audit/audit-kernel#91 See: linux-audit/audit-testsuite#64 See: https://github.com/linux-audit/audit-kernel/wiki/RFE-Audit-Container-ID Signed-off-by: Richard Guy Briggs <[email protected]>
rgbriggs
added a commit
to rgbriggs/audit-userspace
that referenced
this issue
May 31, 2019
A u64 container identifier has been added to the kernel view of tasks. This allows container orchestrators to label tasks with a unique tamperproof identifier that gets inherited by its children to be able to track the provenance of actions by a container. Add support to libaudit and auditctl for the AUDIT_CONTID field to filter based on audit container identifier. This field is specified with the "contid" field name on the command line. Since it is a u64 and larger than any other numeric field, send it as a string but do the appropriate conversions on each end in each direction. See: linux-audit#40 See: linux-audit/audit-kernel#91 See: linux-audit/audit-testsuite#64 See: https://github.com/linux-audit/audit-kernel/wiki/RFE-Audit-Container-ID Signed-off-by: Richard Guy Briggs <[email protected]>
rgbriggs
added a commit
to rgbriggs/audit-userspace
that referenced
this issue
Sep 19, 2019
A u64 container identifier has been added to the kernel view of tasks. This allows container orchestrators to label tasks with a unique tamperproof identifier that gets inherited by its children to be able to track the provenance of actions by a container. Add support to libaudit and auditctl for the AUDIT_CONTID field to filter based on audit container identifier. This field is specified with the "contid" field name on the command line. Since it is a u64 and larger than any other numeric field, send it as a string but do the appropriate conversions on each end in each direction. See: linux-audit#40 See: linux-audit/audit-kernel#91 See: linux-audit/audit-testsuite#64 See: https://github.com/linux-audit/audit-kernel/wiki/RFE-Audit-Container-ID Signed-off-by: Richard Guy Briggs <[email protected]>
rgbriggs
added a commit
to rgbriggs/audit-userspace
that referenced
this issue
Sep 20, 2019
A u64 container identifier has been added to the kernel view of tasks. This allows container orchestrators to label tasks with a unique tamperproof identifier that gets inherited by its children to be able to track the provenance of actions by a container. Add support to libaudit and auditctl for the AUDIT_CONTID field to filter based on audit container identifier. This field is specified with the "contid" field name on the command line. Since it is a u64 and larger than any other numeric field, send it as a string but do the appropriate conversions on each end in each direction. See: linux-audit#40 See: linux-audit/audit-kernel#91 See: linux-audit/audit-testsuite#64 See: https://github.com/linux-audit/audit-kernel/wiki/RFE-Audit-Container-ID Signed-off-by: Richard Guy Briggs <[email protected]>
rgbriggs
added a commit
to rgbriggs/audit-userspace
that referenced
this issue
Dec 6, 2019
A u64 container identifier has been added to the kernel view of tasks. This allows container orchestrators to label tasks with a unique tamperproof identifier that gets inherited by its children to be able to track the provenance of actions by a container. Add support to libaudit and auditctl for the AUDIT_CONTID field to filter based on audit container identifier. This field is specified with the "contid" field name on the command line. Since it is a u64 and larger than any other numeric field, send it as a string but do the appropriate conversions on each end in each direction. See: linux-audit#40 See: linux-audit/audit-kernel#91 See: linux-audit/audit-testsuite#64 See: https://github.com/linux-audit/audit-kernel/wiki/RFE-Audit-Container-ID Signed-off-by: Richard Guy Briggs <[email protected]>
rgbriggs
added a commit
to rgbriggs/audit-userspace
that referenced
this issue
Dec 31, 2019
A u64 container identifier has been added to the kernel view of tasks. This allows container orchestrators to label tasks with a unique tamperproof identifier that gets inherited by its children to be able to track the provenance of actions by a container. Add support to libaudit and auditctl for the AUDIT_CONTID field to filter based on audit container identifier. This field is specified with the "contid" field name on the command line. Since it is a u64 and larger than any other numeric field, send it as a string but do the appropriate conversions on each end in each direction. See: linux-audit#40 See: linux-audit/audit-kernel#91 See: linux-audit/audit-testsuite#64 See: https://github.com/linux-audit/audit-kernel/wiki/RFE-Audit-Container-ID Signed-off-by: Richard Guy Briggs <[email protected]>
|
post v8 |
fengguang
pushed a commit
to 0day-ci/linux
that referenced
this issue
Jan 3, 2020
Implement audit container identifier filtering using the AUDIT_CONTID field name to send an 8-character string representing a u64 since the value field is only u32. Sending it as two u32 was considered, but gathering and comparing two fields was more complex. The feature indicator is AUDIT_FEATURE_BITMAP_CONTAINERID. Please see the github audit kernel issue for the contid filter feature: linux-audit/audit-kernel#91 Please see the github audit userspace issue for filter additions: linux-audit/audit-userspace#40 Please see the github audit testsuiite issue for the test case: linux-audit/audit-testsuite#64 Please see the github audit wiki for the feature overview: https://github.com/linux-audit/audit-kernel/wiki/RFE-Audit-Container-ID Signed-off-by: Richard Guy Briggs <[email protected]> Acked-by: Serge Hallyn <[email protected]> Acked-by: Neil Horman <[email protected]> Reviewed-by: Ondrej Mosnacek <[email protected]>
rgbriggs
added a commit
to rgbriggs/audit-userspace
that referenced
this issue
Jun 26, 2020
A u64 container identifier has been added to the kernel view of tasks. This allows container orchestrators to label tasks with a unique tamperproof identifier that gets inherited by its children to be able to track the provenance of actions by a container. Add support to libaudit and auditctl for the AUDIT_CONTID field to filter based on audit container identifier. This field is specified with the "contid" field name on the command line. Since it is a u64 and larger than any other numeric field, send it as a string but do the appropriate conversions on each end in each direction. See: linux-audit#40 See: linux-audit/audit-kernel#91 See: linux-audit/audit-testsuite#64 See: https://github.com/linux-audit/audit-kernel/wiki/RFE-Audit-Container-ID Signed-off-by: Richard Guy Briggs <[email protected]>
fengguang
pushed a commit
to 0day-ci/linux
that referenced
this issue
Jun 27, 2020
Implement audit container identifier filtering using the AUDIT_CONTID field name to send an 8-character string representing a u64 since the value field is only u32. Sending it as two u32 was considered, but gathering and comparing two fields was more complex. The feature indicator is AUDIT_FEATURE_BITMAP_CONTAINERID. Please see the github audit kernel issue for the contid filter feature: linux-audit/audit-kernel#91 Please see the github audit userspace issue for filter additions: linux-audit/audit-userspace#40 Please see the github audit testsuiite issue for the test case: linux-audit/audit-testsuite#64 Please see the github audit wiki for the feature overview: https://github.com/linux-audit/audit-kernel/wiki/RFE-Audit-Container-ID Signed-off-by: Richard Guy Briggs <[email protected]> Acked-by: Serge Hallyn <[email protected]> Acked-by: Neil Horman <[email protected]> Reviewed-by: Ondrej Mosnacek <[email protected]>
rgbriggs
added a commit
to rgbriggs/audit-userspace
that referenced
this issue
Nov 26, 2020
A u64 container identifier has been added to the kernel view of tasks. This allows container orchestrators to label tasks with a unique tamperproof identifier that gets inherited by its children to be able to track the provenance of actions by a container. Add support to libaudit and auditctl for the AUDIT_CONTID field to filter based on audit container identifier. This field is specified with the "contid" field name on the command line. Since it is a u64 and larger than any other numeric field, send it as a string but do the appropriate conversions on each end in each direction. See: linux-audit#40 See: linux-audit/audit-kernel#91 See: linux-audit/audit-testsuite#64 See: https://github.com/linux-audit/audit-kernel/wiki/RFE-Audit-Container-ID Signed-off-by: Richard Guy Briggs <[email protected]>
rgbriggs
added a commit
to rgbriggs/audit-userspace
that referenced
this issue
Nov 26, 2020
A u64 container identifier has been added to the kernel view of tasks. This allows container orchestrators to label tasks with a unique tamperproof identifier that gets inherited by its children to be able to track the provenance of actions by a container. Add support to libaudit and auditctl for the AUDIT_CONTID field to filter based on audit container identifier. This field is specified with the "contid" field name on the command line. Since it is a u64 and larger than any other numeric field, send it as a string but do the appropriate conversions on each end in each direction. See: linux-audit#40 See: linux-audit/audit-kernel#91 See: linux-audit/audit-testsuite#64 See: https://github.com/linux-audit/audit-kernel/wiki/RFE-Audit-Container-ID Signed-off-by: Richard Guy Briggs <[email protected]>
rgbriggs
added a commit
to rgbriggs/audit-userspace
that referenced
this issue
Dec 18, 2020
A u64 container identifier has been added to the kernel view of tasks. This allows container orchestrators to label tasks with a unique tamperproof identifier that gets inherited by its children to be able to track the provenance of actions by a container. Add support to libaudit and auditctl for the AUDIT_CONTID field to filter based on audit container identifier. This field is specified with the "contid" field name on the command line. Since it is a u64 and larger than any other numeric field, send it as a string but do the appropriate conversions on each end in each direction. See: linux-audit#40 See: linux-audit/audit-kernel#91 See: linux-audit/audit-testsuite#64 See: https://github.com/linux-audit/audit-kernel/wiki/RFE-Audit-Container-ID Signed-off-by: Richard Guy Briggs <[email protected]>
fengguang
pushed a commit
to 0day-ci/linux
that referenced
this issue
Dec 22, 2020
Implement audit container identifier filtering using the AUDIT_CONTID field name to send an 8-character string representing a u64 since the value field is only u32. Sending it as two u32 was considered, but gathering and comparing two fields was more complex. The feature indicator is AUDIT_FEATURE_BITMAP_CONTAINERID. Please see the github audit kernel issue for the contid filter feature: linux-audit/audit-kernel#91 Please see the github audit userspace issue for filter additions: linux-audit/audit-userspace#40 Please see the github audit testsuiite issue for the test case: linux-audit/audit-testsuite#64 Please see the github audit wiki for the feature overview: https://github.com/linux-audit/audit-kernel/wiki/RFE-Audit-Container-ID Signed-off-by: Richard Guy Briggs <[email protected]> Acked-by: Serge Hallyn <[email protected]> Acked-by: Neil Horman <[email protected]> Reviewed-by: Ondrej Mosnacek <[email protected]>
fengguang
pushed a commit
to 0day-ci/linux
that referenced
this issue
Jan 12, 2021
Implement audit container identifier filtering using the AUDIT_CONTID field name to send an 8-character string representing a u64 since the value field is only u32. Sending it as two u32 was considered, but gathering and comparing two fields was more complex. The feature indicator is AUDIT_FEATURE_BITMAP_CONTAINERID. Please see the github audit kernel issue for the contid filter feature: linux-audit/audit-kernel#91 Please see the github audit userspace issue for filter additions: linux-audit/audit-userspace#40 Please see the github audit testsuiite issue for the test case: linux-audit/audit-testsuite#64 Please see the github audit wiki for the feature overview: https://github.com/linux-audit/audit-kernel/wiki/RFE-Audit-Container-ID Signed-off-by: Richard Guy Briggs <[email protected]> Acked-by: Serge Hallyn <[email protected]> Acked-by: Neil Horman <[email protected]> Reviewed-by: Ondrej Mosnacek <[email protected]>
|
did this make it into a particular kernel/audit-userspace release? i'm very interested in this, especially if it allows filtering at the rule level. |
|
No. The work is still ongoing. |
|
Closing this out. A tracker for this is not needed. When a patch is available, just do a pull request. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add userspace audit tool support for the features introduced by kernel audit container ID support.
See: linux-audit/audit-kernel#91
See: https://github.com/linux-audit/audit-kernel/wiki/RFE-Audit-Container-ID
The text was updated successfully, but these errors were encountered: