lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <CAHC9VhTHF0vhm=1H6ywiZwW3U-eWQZnK8do5o7yCFQ5ykTrCYA@mail.gmail.com>
Date:   Mon, 22 Aug 2022 20:06:46 -0400
From:   Paul Moore <paul@...l-moore.com>
To:     Ecronic <ecronic@...look.com>
Cc:     eparis@...hat.com, linux-audit@...hat.com,
        linux-kernel@...r.kernel.org
Subject: Re: [PATCH next] audit: printk before dropping logs in audit_log_end

On Sun, Aug 21, 2022 at 10:22 AM Ecronic <ecronic@...look.com> wrote:
>
> If the log rate of audit exceeds audit_rate_limit, audit_log_end
> will drop the audit logs. Printk before dropping them may be a
> better choice.
>
> Signed-off-by: Ecronic <ecronic@...look.com>
> ---
>  kernel/audit.c | 11 +++++++----
>  1 file changed, 7 insertions(+), 4 deletions(-)

Hi Ecronic,

I'm not sure this is the right approach; if we're hitting a rate
limit, printing the record to the console is likely the last thing we
want to do.  Are you currently hitting a problem with the rate
limiting, or is this simply something you found via code inspection?

> diff --git a/kernel/audit.c b/kernel/audit.c
> index a75978ae38ad..3f5be93447cb 100644
> --- a/kernel/audit.c
> +++ b/kernel/audit.c
> @@ -2415,10 +2415,10 @@ void audit_log_end(struct audit_buffer *ab)
>         if (!ab)
>                 return;
>
> -       if (audit_rate_check()) {
> -               skb = ab->skb;
> -               ab->skb = NULL;
> +       skb = ab->skb;
> +       ab->skb = NULL;
>
> +       if (audit_rate_check()) {
>                 /* setup the netlink header, see the comments in
>                  * kauditd_send_multicast_skb() for length quirks */
>                 nlh = nlmsg_hdr(skb);
> @@ -2427,8 +2427,11 @@ void audit_log_end(struct audit_buffer *ab)
>                 /* queue the netlink packet and poke the kauditd thread */
>                 skb_queue_tail(&audit_queue, skb);
>                 wake_up_interruptible(&kauditd_wait);
> -       } else
> +       } else {
> +               kauditd_printk_skb(skb);
> +               kfree_skb(skb);
>                 audit_log_lost("rate limit exceeded");
> +       }
>
>         audit_buffer_free(ab);
>  }
> --
> 2.30.0

-- 
paul-moore.com

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ