linux-audit / audit-kernel

GitHub mirror of the Linux Kernel's audit repository
https://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/audit.git
Other
138 stars 36 forks source link

RFE: generate audit records for fanotify decisions #55

Closed pcmoore closed 6 years ago

pcmoore commented 7 years ago

From @stevegrubb:

Fanotify subsystem allows a user space daemon to make file access decisions. Since this is a flow control decision, there must be auditing around the decision. This must be configurable in some sense in that the admin has to be able to decide if they want access audit events or not in the policy.

I would like to propose adding 2 new decision flags for the FAN_*_PERM events: FAN_ALLOW_AUDIT and FAN_DENY_AUDIT. This way policy in the daemon can dictate whether an audit event should be created or not and what the access decision is.

pcmoore commented 7 years ago

We should have a RFE wiki page and a new test for this feature.

pcmoore commented 6 years ago

@stevegrubb I know you sent the kernel patch by way of the fanotify team, but did you ever document it and provide test cases as mentioned above?

stevegrubb commented 6 years ago

It is documented in the header file just like any other event. I think Ondrej has a test for it.

pcmoore commented 6 years ago

That is not our general agreement, new things like this need to be documented in the wiki[1] (using the template[2]) and a test added to the audit-testsuite[3].

[1] https://github.com/linux-audit/audit-kernel/wiki [2] https://github.com/linux-audit/audit-kernel/wiki/Template-RFE [3] https://github.com/linux-audit/audit-testsuite

pcmoore commented 6 years ago

@stevegrubb I believe you addressed this with the fanotify folks, can we close this out or is there still something that needs to be done?

stevegrubb commented 6 years ago

We can close it...

pcmoore commented 6 years ago

I closed this, but @stevegrubb you really need to add the RFE wiki page as stated above.