The Linux kernel's audit subsystem/framework for greater insight into system activity for security purposes will now be able to properly cope with multiple Linux Security Modules (LSMs).

Linux developer Casey Schaufler led the charge to add proper audit support for dealing with multiple Linux security modules. The audit feature pull request was already submitted in advance of the Linux 6.18 merge window formally opening.

Paul Moore explains in the [1]audit pull request for the imminent Linux 6.18 merge window the two major feature changes:

"- Proper audit support for multiple LSMs

As the audit subsystem predated the work to enable multiple LSMs, some additional work was needed to support logging the different LSM labels for the subjects/tasks and objects on the system. Casey's patches add new auxillary records for subjects and objects that convey the additional labels.

- Ensure fanotify audit events are always generated

Generally speaking security relevant subsystems always generate audit events, unless explicitly ignored. However, up to this point fanotify events had been ignored by default, but starting with this pull request fanotify follows convention and generates audit events by default."



[1] https://lore.kernel.org/lkml/3161e6addb7d3e6c8297ff058ad8236d@paul-moore.com/