RFE: support audit container ID filtering
Closed this issue · 13 comments
Add userspace audit tool support for the features introduced by kernel audit container ID support.
- filtering on container ID
- ausearch support
See: linux-audit/audit-kernel#91
See: https://github.com/linux-audit/audit-kernel/wiki/RFE-Audit-Container-ID
Posted RFC v1 userspace patch for auditctl containerid filter support:
https://www.redhat.com/archives/linux-audit/2018-March/msg00030.html
https://lkml.org/lkml/2018/3/5/82
Posted v2 userspace patchset upstream:
https://www.redhat.com/archives/linux-audit/2018-March/msg00124.html
https://lkml.org/lkml/2018/3/16/210
Posted v3 patchset upstream:
https://www.redhat.com/archives/linux-audit/2018-June/msg00059.html
https://lkml.org/lkml/2018/6/6/626
Posted v4 patchset upstream:
https://www.redhat.com/archives/linux-audit/2018-July/msg00189.html
https://lkml.org/lkml/2018/7/31/862
Test case v1 PR: linux-audit/audit-testsuite#83
post v8
https://lkml.org/lkml/2019/12/31/244
https://lore.kernel.org/lkml/1577822301-19760-1-git-send-email-rgb@redhat.com/T/#t
https://www.redhat.com/archives/linux-audit/2019-December/msg00066.html
latest testsuite pr: https://githu.com/linux-audit/audit-testsuite/pull/91
A repo of the code is here:
git@github.com:rgbriggs/audit-userspace.git ghau40-containerid-filter.v8
And test rpms built from it are here:
people.redhat.com/~rbriggs/ghak90/git-47ad4ca
did this make it into a particular kernel/audit-userspace release?
i'm very interested in this, especially if it allows filtering at the rule level.
No. The work is still ongoing.
Closing this out. A tracker for this is not needed. When a patch is available, just do a pull request.