Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S1753640AbbHFWgH (ORCPT <rfc822;w@1wt.eu>);
	Thu, 6 Aug 2015 18:36:07 -0400
Received: from mx1.redhat.com ([209.132.183.28]:50916 "EHLO mx1.redhat.com"
	rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
	id S1751390AbbHFWgF (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
	Thu, 6 Aug 2015 18:36:05 -0400
From: Steve Grubb <sgrubb@redhat.com>
To: Paul Moore <pmoore@redhat.com>
Cc: Richard Guy Briggs <rgb@redhat.com>, linux-audit@redhat.com,
        linux-kernel@vger.kernel.org, eparis@redhat.com, peter@hda3.com
Subject: Re: [PATCH V9 3/3] audit: add audit by children of executable path
Date: Thu, 06 Aug 2015 17:08:14 -0400
Message-ID: <18689423.1lXpkUPLpg@x2>
Organization: Red Hat
User-Agent: KMail/4.14.9 (Linux/4.1.3-200.fc22.x86_64; KDE/4.14.9; x86_64; ; )
In-Reply-To: <5456503.IfTzUNfidJ@sifl>
References: <cover.1438801342.git.rgb@redhat.com> <d9b6e7ce17a8ffa71fe756a06922898f54ad78e5.1438801342.git.rgb@redhat.com> <5456503.IfTzUNfidJ@sifl>
MIME-Version: 1.0
Content-Transfer-Encoding: 7Bit
Content-Type: text/plain; charset="us-ascii"
Sender: linux-kernel-owner@vger.kernel.org
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
Content-Length: 1894
Lines: 44

On Thursday, August 06, 2015 04:24:58 PM Paul Moore wrote:
> On Wednesday, August 05, 2015 04:29:38 PM Richard Guy Briggs wrote:
> > This adds the ability to audit the actions of children of a
> > not-yet-running
> > process.
> >
> > 
> >
> > This is a split-out of a heavily modified version of a patch originally
> > submitted by Eric Paris with some ideas from Peter Moody.
> >
> > 
> >
> > Cc: Peter Moody <peter@hda3.com>
> > Cc: Eric Paris <eparis@redhat.com>
> > Signed-off-by: Richard Guy Briggs <rgb@redhat.com>
> > ---
> >
> >  include/uapi/linux/audit.h |    1 +
> >  kernel/auditfilter.c       |    5 +++++
> >  kernel/auditsc.c           |   11 +++++++++++
> >  3 files changed, 17 insertions(+), 0 deletions(-)
> 
> I'm still not really comfortable with that loop and since there hasn't been
> a  really convincing use case I'm going to pass on this patch for right
> now.  If someone comes up with a *really* compelling case in the future
> I'll reconsider it.

Its the same reason strace has a -f option. Sometimes you need to also see 
what the children did. For example, maybe you want to audit file access to a 
specific directory and several cgi-bin programs can get there. You could write 
a rule for apache and be done. Or maybe, you have an app that lets people have 
shell access and you need to see files accessed or connections opened. Or maybe 
its a control panel application with helper scripts and you need to see 
changes that its making. Or maybe you have a program that is at risk of being 
compromised and you want to see if someone gets a shell from it. There are a 
lot of cases where it could be useful.

-Steve
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/