| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Mon, 14 Jan 2019 17:10:23 -0500
From: Paul Moore <paul@...l-moore.com>
To: Richard Guy Briggs <rgb@...hat.com>
Cc: LKML <linux-kernel@...r.kernel.org>,
Linux-Audit Mailing List <linux-audit@...hat.com>,
Eric Paris <eparis@...hat.com>,
Alexander Viro <viro@...iv.linux.org.uk>,
Steve Grubb <sgrubb@...hat.com>
Subject: Re: [PATCH ghak59 V3 1/4] audit: give a clue what CONFIG_CHANGE op
was involved
On Mon, Dec 10, 2018 at 5:18 PM Richard Guy Briggs <rgb@...hat.com> wrote:
>
> The failure to add an audit rule due to audit locked gives no clue
> what CONFIG_CHANGE operation failed.
> Similarly the set operation is the only other operation that doesn't
> give the "op=" field to indicate the action.
> All other CONFIG_CHANGE records include an op= field to give a clue as
> to what sort of configuration change is being executed.
>
> Since these are the only CONFIG_CHANGE records that that do not have an
> op= field, add them to bring them in line with the rest.
>
> Old records:
> type=CONFIG_CHANGE msg=audit(1519812997.781:374): pid=610 uid=0 auid=0 ses=1 subj=... audit_enabled=2 res=0
> type=CONFIG_CHANGE msg=audit(2018-06-14 14:55:04.507:47) : audit_enabled=1 old=1 auid=unset ses=unset subj=... res=yes
>
> New records:
> type=CONFIG_CHANGE msg=audit(1520958477.855:100): pid=610 uid=0 auid=0 ses=1 subj=... op=add_rule audit_enabled=2 res=0
>
> type=CONFIG_CHANGE msg=audit(2018-06-14 14:55:04.507:47) : op=set audit_enabled=1 old=1 auid=unset ses=unset subj=... res=yes
>
> See: https://github.com/linux-audit/audit-kernel/issues/59
> Signed-off-by: Richard Guy Briggs <rgb@...hat.com>
> ---
> kernel/audit.c | 6 ++++--
> 1 file changed, 4 insertions(+), 2 deletions(-)
Merged, but I had to fixup a line length issue as reported by
checkpatch.pl. While I don't think we need to always follow
checkpatch.pl 100%, please make every effort to ensure that it likes
you line lengths.
> diff --git a/kernel/audit.c b/kernel/audit.c
> index 779671883349..0e8026423fbd 100644
> --- a/kernel/audit.c
> +++ b/kernel/audit.c
> @@ -400,7 +400,7 @@ static int audit_log_config_change(char *function_name, u32 new, u32 old,
> ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE);
> if (unlikely(!ab))
> return rc;
> - audit_log_format(ab, "%s=%u old=%u ", function_name, new, old);
> + audit_log_format(ab, "op=set %s=%u old=%u ", function_name, new, old);
> audit_log_session_info(ab);
> rc = audit_log_task_context(ab);
> if (rc)
> @@ -1363,7 +1363,9 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh)
> return -EINVAL;
> if (audit_enabled == AUDIT_LOCKED) {
> audit_log_common_recv_msg(&ab, AUDIT_CONFIG_CHANGE);
> - audit_log_format(ab, " audit_enabled=%d res=0", audit_enabled);
> + audit_log_format(ab, " op=%s audit_enabled=%d res=0",
> + msg_type == AUDIT_ADD_RULE ? "add_rule" : "remove_rule",
> + audit_enabled);
> audit_log_end(ab);
> return -EPERM;
> }
> --
> 1.8.3.1
--
paul moore
www.paul-moore.com
Powered by blists - more mailing lists