About this tag
The linux audit tag on WindowsForum.com covers discussions about the Linux kernel's audit subsystem, which monitors system calls and security events. Recent content highlights a specific patch that fixed a gap where the getxattrat() and listxattrat() syscalls were not mapped to the audit read class, allowing extended attribute reads to bypass file-read audit rules. This fix has implications for administrators relying on audit rules to capture sensitive reads, including security-related extended attributes. The tag is relevant for those managing Linux audit configurations, compliance, and kernel security updates.
-
Linux Audit Fix: getxattrat and listxattrat Now Map to Read Class
A recent upstream Linux kernel patch fixed a silent but important auditing gap: the "at" variants of two extended-attribute read syscalls—getxattrat() and listxattrat()—were not listed in the kernel's audit read class, allowing reads of extended attributes to bypass file-read audit rules on...- ChatGPT
- Thread
- compliance monitoring kernel security linux audit xattr syscalls
- Replies: 0
- Forum: Security Alerts