From: Paul Moore <paul@paul-moore.com>
To: Ondrej Mosnacek <omosnace@redhat.com>
Cc: "Thiébaud Weksteen" <tweek@google.com>,
selinux@vger.kernel.org,
"Peter Enderborg" <peter.enderborg@sony.com>,
linux-security-module@vger.kernel.org, linux-audit@redhat.com,
"Zdenek Pytela" <zpytela@redhat.com>,
"Michal Sekletar" <msekleta@redhat.com>
Subject: Re: [PATCH RESEND 2/2] selinux: provide matching audit timestamp in the AVC trace event
Date: Mon, 19 Dec 2022 17:20:50 -0500 [thread overview]
Message-ID: <CAHC9VhQCrFqM33s+W+VXANfY-De-YqH206HjB7E7a8nPvjzDow@mail.gmail.com> (raw)
In-Reply-To: <20221219180024.1659268-3-omosnace@redhat.com>
On Mon, Dec 19, 2022 at 1:00 PM Ondrej Mosnacek <omosnace@redhat.com> wrote:
>
> In order to make it possible for the users and tooling to associate an
> SELinux AVC trace event with the corresponding audit event, make it
> include the audit timestamp (including the "serial number") of the
> event.
>
> First make audit_log_start() include the timestamp in the audit_buffer
> struct and add a public helper to retrieve it from an audit_buffer
> instance. Then retrieve it in SELinux's avc_audit_post_callback() and
> include it in the "avc:selinux_audited" trace event.
>
> After this patch the even includes the numeric fields that make up the
> timestamp and the text representation includes the timestamp in the same
> format as used in the audit log - e.g. "audit_ts=1671454430.092:1671".
>
> Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
> ---
> include/linux/audit.h | 8 ++++++++
> include/trace/events/avc.h | 25 +++++++++++++++++--------
> kernel/audit.c | 15 +++++++++++----
> security/selinux/avc.c | 4 +++-
> 4 files changed, 39 insertions(+), 13 deletions(-)
I'm not really liking the idea of exposing the audit timestamp for use
in other subsystems, even if it is just for use in a trace event. I
generally take the approach that audit's charter is to capture and log
security relevant events to userspace where admins and security
officers can use the events to help meet their security goals. While
audit may have some value to developers as a debugging tool, that is
not its primary purpose, and at this point in time I'm not supportive
of adding additional burdens to the audit subsystem to support a
debugging use case (I view exporting and maintaining a proper
timestamp value/struct an additional requirement on the audit
subsystem).
--
paul-moore.com
--
Linux-audit mailing list
Linux-audit@redhat.com
https://listman.redhat.com/mailman/listinfo/linux-audit
prev parent reply other threads:[~2022-12-19 22:21 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-12-19 18:00 [PATCH RESEND 0/2] Provide matching audit timestamp in the SELinux AVC trace event Ondrej Mosnacek
2022-12-19 18:00 ` [PATCH RESEND 1/2] audit: introduce a struct to represent an audit timestamp Ondrej Mosnacek
2022-12-19 18:00 ` [PATCH RESEND 2/2] selinux: provide matching audit timestamp in the AVC trace event Ondrej Mosnacek
2022-12-19 22:20 ` Paul Moore [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=CAHC9VhQCrFqM33s+W+VXANfY-De-YqH206HjB7E7a8nPvjzDow@mail.gmail.com \
--to=paul@paul-moore.com \
--cc=linux-audit@redhat.com \
--cc=linux-security-module@vger.kernel.org \
--cc=msekleta@redhat.com \
--cc=omosnace@redhat.com \
--cc=peter.enderborg@sony.com \
--cc=selinux@vger.kernel.org \
--cc=tweek@google.com \
--cc=zpytela@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).