On 8/10/21 6:52 AM, J Freyensee wrote: [snip] >> Have you considered writing to the audit log instead of the kernel messages directly? >> (not saying that this is necessarily better, but is there a reasoning to prefer one or >> the other here? Audit logs are often consumed by automated tools and it may be more pratical >> for people to detect and treat violations if the messages were pushed to the audit log >> - but conversely, that requires defining and maintaining a stable log format for consumers) > > It's a good idea to writing to the audit log, HOWEVER I'd want to know > what all the rest of the LSMs are doing in a case like this. If all of > them just write kernel messages, I'd want this module to also write just > kernel messages for consistency sake for use with say, log harvesters > for a SIEM/XDR system solution. Right, after taking a quick look through the SafeSetID, YAMA and the future BRUTE LSM, it looks like they all use pr_warn/pr_notice. Only the MACs seem to make use of the audit log, so you can forget what I said about writing to the audit log, this shouldn't be necessary, and is probably a bad idea for consistency, as Jay said. Simon > > Just in general I like the thought of this LSM. I used to work for a > security company in which their cloud "watched" situations where > mmap()/mprotect() would use anonymous executable pages for possible > "dodgy" behavior. > > Jay >
