On Mon, Oct 14, 2024 at 05:17:53AM -0700, Christoph Hellwig wrote: > On Mon, Oct 14, 2024 at 11:12:25PM +1100, Burn Alting wrote: > > > > PATH records is no longer forensically defensible and it's use as a > > > > correlation item is of questionable value now? > > > > > > What do you mean with forensically defensible? > > > > If the auditd system only maintains a 32 bit variable for an inode value, > > when it emits an inode number, then how does one categorically state/defend > > that the inode value in the audit event is the actual one on the file > > system. The PATH record will offer one value (32 bits) but the returned > > inode value from a stat will return another (the actual 64 bit value). > > Basically auditd would not be recording the correct value. > > Does auditd only track 32-bit inodes? If yes, it is fundamentally > broken. auditd logs 32-bit inodes on 32-bit architecture, whereas it should always log 64-bit inodes. The goal of this patch series is to fix this this issue for auditd and other kernel logs (and to backport these fixes).
