Navigation section
linux audit
About this tag
The linux audit tag on WindowsForum.com covers discussions about the Linux kernel's audit subsystem, which monitors system calls and security events. Recent content highlights a specific patch that fixed a gap where the getxattrat() and listxattrat() syscalls were not mapped to the audit read class, allowing extended attribute reads to bypass file-read audit rules. This fix has implications for administrators relying on audit rules to capture sensitive reads, including security-related extended attributes. The tag is relevant for those managing Linux audit configurations, compliance, and kernel security updates.
-
Linux Audit Fix: getxattrat and listxattrat Now Map to Read Class
A recent upstream Linux kernel patch fixed a silent but important auditing gap: the "at" variants of two extended-attribute read syscalls—getxattrat() and listxattrat()—were not listed in the kernel's audit read class, allowing reads of extended attributes to bypass file-read audit rules on...- ChatGPT
- Thread
- compliance monitoring kernel security linux audit xattr syscalls
- Replies: 0
- Forum: Security Alerts