audit: filter PATH records keyed on filesystem magic
Tracefs or debugfs were causing hundreds to thousands of PATH records to be associated with the init_module and finit_module SYSCALL records on a few modules when the following rule was in place for startup: -a always,exit -F arch=x86_64 -S init_module -F key=mod-load Provide a method to ignore these large number of PATH records from overwhelming the logs if they are not of interest. Introduce a new filter list "AUDIT_FILTER_FS", with a new field type AUDIT_FSTYPE, which keys off the filesystem 4-octet hexadecimal magic identifier to filter specific filesystem PATH records. An example rule would look like: -a never,filesystem -F fstype=0x74726163 -F key=ignore_tracefs -a never,filesystem -F fstype=0x64626720 -F key=ignore_debugfs Arguably the better way to address this issue is to disable tracefs and debugfs on boot from production systems. See: https://github.com/linux-audit/audit-kernel/issues/16 See: https://github.com/linux-audit/audit-userspace/issues/8 Test case: https://github.com/linux-audit/audit-testsuite/issues/42 Signed-off-by: Richard Guy Briggs <rgb@redhat.com> [PM: fixed the whitespace damage in kernel/auditsc.c] Signed-off-by: Paul Moore <paul@paul-moore.com>
This commit is contained in:
Richard Guy Briggs
committed by
Paul Moore
Paul Moore
parent
f7b53637c0
commit
42d5e37654
@@ -155,8 +155,9 @@
|
||||
#define AUDIT_FILTER_WATCH 0x03 /* Apply rule to file system watches */
|
||||
#define AUDIT_FILTER_EXIT 0x04 /* Apply rule at syscall exit */
|
||||
#define AUDIT_FILTER_TYPE 0x05 /* Apply rule at audit_log_start */
|
||||
#define AUDIT_FILTER_FS 0x06 /* Apply rule at __audit_inode_child */
|
||||
|
||||
#define AUDIT_NR_FILTERS 6
|
||||
#define AUDIT_NR_FILTERS 7
|
||||
|
||||
#define AUDIT_FILTER_PREPEND 0x10 /* Prepend to front of list */
|
||||
|
||||
@@ -256,6 +257,7 @@
|
||||
#define AUDIT_OBJ_LEV_HIGH 23
|
||||
#define AUDIT_LOGINUID_SET 24
|
||||
#define AUDIT_SESSIONID 25 /* Session ID */
|
||||
#define AUDIT_FSTYPE 26 /* FileSystem Type */
|
||||
|
||||
/* These are ONLY useful when checking
|
||||
* at syscall exit time (AUDIT_AT_EXIT). */
|
||||
@@ -335,13 +337,15 @@ enum {
|
||||
#define AUDIT_FEATURE_BITMAP_EXCLUDE_EXTEND 0x00000008
|
||||
#define AUDIT_FEATURE_BITMAP_SESSIONID_FILTER 0x00000010
|
||||
#define AUDIT_FEATURE_BITMAP_LOST_RESET 0x00000020
|
||||
#define AUDIT_FEATURE_BITMAP_FILTER_FS 0x00000040
|
||||
|
||||
#define AUDIT_FEATURE_BITMAP_ALL (AUDIT_FEATURE_BITMAP_BACKLOG_LIMIT | \
|
||||
AUDIT_FEATURE_BITMAP_BACKLOG_WAIT_TIME | \
|
||||
AUDIT_FEATURE_BITMAP_EXECUTABLE_PATH | \
|
||||
AUDIT_FEATURE_BITMAP_EXCLUDE_EXTEND | \
|
||||
AUDIT_FEATURE_BITMAP_SESSIONID_FILTER | \
|
||||
AUDIT_FEATURE_BITMAP_LOST_RESET)
|
||||
AUDIT_FEATURE_BITMAP_LOST_RESET | \
|
||||
AUDIT_FEATURE_BITMAP_FILTER_FS)
|
||||
|
||||
/* deprecated: AUDIT_VERSION_* */
|
||||
#define AUDIT_VERSION_LATEST AUDIT_FEATURE_BITMAP_ALL
|
||||
|
||||
Reference in New Issue
Block a user