diff options
| author | Richard Guy Briggs <rgb@redhat.com> | 2017-08-23 07:03:39 -0400 |
|---|---|---|
| committer | Paul Moore <paul@paul-moore.com> | 2017-11-10 16:08:56 -0500 |
| commit | 42d5e37654e4cdb9fb2e2f3ab30045fee35c42d8 (patch) | |
| tree | 5fa06c6189f135561616208016519bb61c309b1b /include/linux/audit.h | |
| parent | f7b53637c090bd8ce2dc74ad0f3aa1898aff2524 (diff) | |
audit: filter PATH records keyed on filesystem magic
Tracefs or debugfs were causing hundreds to thousands of PATH records to
be associated with the init_module and finit_module SYSCALL records on a
few modules when the following rule was in place for startup:
-a always,exit -F arch=x86_64 -S init_module -F key=mod-load
Provide a method to ignore these large number of PATH records from
overwhelming the logs if they are not of interest. Introduce a new
filter list "AUDIT_FILTER_FS", with a new field type AUDIT_FSTYPE,
which keys off the filesystem 4-octet hexadecimal magic identifier to
filter specific filesystem PATH records.
An example rule would look like:
-a never,filesystem -F fstype=0x74726163 -F key=ignore_tracefs
-a never,filesystem -F fstype=0x64626720 -F key=ignore_debugfs
Arguably the better way to address this issue is to disable tracefs and
debugfs on boot from production systems.
See: https://github.com/linux-audit/audit-kernel/issues/16
See: https://github.com/linux-audit/audit-userspace/issues/8
Test case: https://github.com/linux-audit/audit-testsuite/issues/42
Signed-off-by: Richard Guy Briggs <rgb@redhat.com>
[PM: fixed the whitespace damage in kernel/auditsc.c]
Signed-off-by: Paul Moore <paul@paul-moore.com>
Diffstat (limited to 'include/linux/audit.h')
0 files changed, 0 insertions, 0 deletions