RFE: log potential containers involved in namespace events
rgbriggs opened this issue · 6 comments
Log potential containers involved in namespace events.
Since network events could cause audit events that are not tied to a specific task, it is necessary to identify all potential containers that could have caused that event. Add a list of audit container identifiers that could use this network namespace and report them upon network events.
This depends on: #90
See: https://github.com/linux-audit/audit-kernel/wiki/RFE-Audit-Container-ID
Posted v3 kernel patchset upstream:
https://www.redhat.com/archives/linux-audit/2018-June/msg00048.html
https://lkml.org/lkml/2018/6/6/609
V8 post:
https://lkml.org/lkml/2019/12/31/229
https://lore.kernel.org/lkml/cover.1577736799.git.rgb@redhat.com/T/#t
https://www.redhat.com/archives/linux-audit/2019-December/msg00049.html
latest testsuite pr: https://githu.com/linux-audit/audit-testsuite/pull/91
The code is also posted at:
git://toccata2.tricolour.ca/linux-2.6-rgb.git ghak90-audit-containerID.v8
2020-12-21
post v10 kernel
https://www.redhat.com/archives/linux-audit/2020-December/msg00047.html
https://lkml.org/lkml/2020/12/21/338
post v10 user
https://www.redhat.com/archives/linux-audit/2020-December/msg00059.html
https://lkml.org/lkml/2020/12/21/361
This was quickly addressed by the upstream kernel audit maintainer that ACKs on the first patch were questionable, which I acknowledged as being out of date triggering another version.