* [PATCH ghau90 v2] sig_info: use standard template for log messages
@ 2019-05-10 16:21 Richard Guy Briggs
2019-05-15 18:39 ` Steve Grubb
0 siblings, 1 reply; 3+ messages in thread
From: Richard Guy Briggs @ 2019-05-10 16:21 UTC (permalink / raw)
To: Linux-Audit Mailing List; +Cc: Richard Guy Briggs
Records that are triggered by an AUDIT_SIGNAL_INFO message including
AUDIT_DAEMON_CONFIG (HUP), AUDIT_DAEMON_ROTATE (USR1),
AUDIT_DAEMON_RESUME (USR2) and AUDIT_DAEMON_END (TERM) have inconsistent
reporting of signal info and swinging field "state".
They also assume that an empty security context implies there is no
other useful information in the AUDIT_SIGNAL_INFO message so don't use
the information that is there.
Normalize AUDIT_DAEMON_CONFIG to use the value "reconfigure" and add the
"state" field where missing.
Use audit_sig_info values when available, not making assumptions about
their availability when the security context is absent.
See: https://github.com/linux-audit/audit-userspace/issues/90
Signed-off-by: Richard Guy Briggs <rgb@redhat.com>
---
Changelog:
v2:
- omit subj= if selinux unavailable
- add missing colon to daemon_config
docs/audit_request_signal_info.3 | 2 +-
lib/libaudit.c | 12 +++++++++
lib/libaudit.h | 1 +
src/auditd-event.c | 2 +-
src/auditd-reconfig.c | 9 +++----
src/auditd.c | 56 ++++++++++++++--------------------------
6 files changed, 38 insertions(+), 44 deletions(-)
diff --git a/docs/audit_request_signal_info.3 b/docs/audit_request_signal_info.3
index 873deb58bef3..b68d7bbefeed 100644
--- a/docs/audit_request_signal_info.3
+++ b/docs/audit_request_signal_info.3
@@ -8,7 +8,7 @@ int audit_request_signal_info(int fd);
.SH "DESCRIPTION"
-audit_request_signal_info requests that the kernel send information about the sender of a signal to the audit daemon. The sinal info structure is as follows:
+audit_request_signal_info requests that the kernel send information about the sender of a signal to the audit daemon. The signal info structure is as follows:
.nf
struct audit_sig_info {
diff --git a/lib/libaudit.c b/lib/libaudit.c
index 2af017a0e520..e695791f9243 100644
--- a/lib/libaudit.c
+++ b/lib/libaudit.c
@@ -674,6 +674,18 @@ int audit_request_signal_info(int fd)
return rc;
}
+char *audit_format_signal_info(char *buf, int len, char *op, struct audit_reply *rep, char *res)
+{
+ if (rep->len == 24)
+ snprintf(buf, len, "op=%s auid=%u pid=%d res=%s", op,
+ rep->signal_info->uid, rep->signal_info->pid, res);
+ else
+ snprintf(buf, len, "op=%s auid=%u pid=%d subj=%s res=%s",
+ op, rep->signal_info->uid, rep->signal_info->pid,
+ rep->signal_info->ctx, res);
+ return buf;
+}
+
int audit_update_watch_perms(struct audit_rule_data *rule, int perms)
{
unsigned int i, done=0;
diff --git a/lib/libaudit.h b/lib/libaudit.h
index 77e4142beea2..36ea8bc04e8a 100644
--- a/lib/libaudit.h
+++ b/lib/libaudit.h
@@ -573,6 +573,7 @@ extern int audit_setloginuid(uid_t uid);
extern uint32_t audit_get_session(void);
extern int audit_detect_machine(void);
extern int audit_determine_machine(const char *arch);
+extern char *audit_format_signal_info(char *buf, int len, char *op, struct audit_reply *rep, char *res);
/* Translation functions */
extern int audit_name_to_field(const char *field);
diff --git a/src/auditd-event.c b/src/auditd-event.c
index ef2828d8df94..2970aba44456 100644
--- a/src/auditd-event.c
+++ b/src/auditd-event.c
@@ -1572,7 +1572,7 @@ static void reconfigure(struct auditd_event *e)
e->reply.type = AUDIT_DAEMON_CONFIG;
e->reply.len = snprintf(e->reply.msg.data, MAX_AUDIT_MESSAGE_LENGTH-2,
- "%s op=reconfigure state=changed auid=%u pid=%d subj=%s res=success",
+ "%s : op=reconfigure state=changed auid=%u pid=%d subj=%s res=success",
date, uid, pid, ctx );
e->reply.message = e->reply.msg.data;
free((char *)ctx);
diff --git a/src/auditd-reconfig.c b/src/auditd-reconfig.c
index a03e29aa57ab..f5b00e6d1dc7 100644
--- a/src/auditd-reconfig.c
+++ b/src/auditd-reconfig.c
@@ -115,12 +115,9 @@ static void *config_thread_main(void *arg)
} else {
// need to send a failed event message
char txt[MAX_AUDIT_MESSAGE_LENGTH];
- snprintf(txt, sizeof(txt),
- "op=reconfigure state=no-change auid=%u pid=%d subj=%s res=failed",
- e->reply.signal_info->uid,
- e->reply.signal_info->pid,
- (e->reply.len > 24) ?
- e->reply.signal_info->ctx : "?");
+ audit_format_signal_info(txt, sizeof(txt),
+ "reconfigure state=no-change",
+ &e->reply, "failed");
// FIXME: need to figure out sending this
//send_audit_event(AUDIT_DAEMON_CONFIG, txt);
free_config(&new_config);
diff --git a/src/auditd.c b/src/auditd.c
index c04a1c9ce93f..63404b25fbc5 100644
--- a/src/auditd.c
+++ b/src/auditd.c
@@ -131,7 +131,7 @@ static void hup_handler( struct ev_loop *loop, struct ev_signal *sig, int revent
rc = audit_request_signal_info(fd);
if (rc < 0)
send_audit_event(AUDIT_DAEMON_CONFIG,
- "op=hup-info state=request-siginfo auid=-1 pid=-1 subj=? res=failed");
+ "op=reconfigure state=no-change auid=-1 pid=-1 subj=? res=failed");
else
hup_info_requested = 1;
}
@@ -147,7 +147,7 @@ static void user1_handler(struct ev_loop *loop, struct ev_signal *sig,
rc = audit_request_signal_info(fd);
if (rc < 0)
send_audit_event(AUDIT_DAEMON_ROTATE,
- "op=usr1-info auid=-1 pid=-1 subj=? res=failed");
+ "op=rotate-logs auid=-1 pid=-1 subj=? res=failed");
else
usr1_info_requested = 1;
}
@@ -163,7 +163,7 @@ static void user2_handler( struct ev_loop *loop, struct ev_signal *sig, int reve
if (rc < 0) {
resume_logging();
send_audit_event(AUDIT_DAEMON_RESUME,
- "op=resume-logging auid=-1 pid=-1 subj=? res=success");
+ "op=resume-logging auid=-1 pid=-1 subj=? res=failed");
} else
usr2_info_requested = 1;
}
@@ -515,45 +515,33 @@ static void netlink_handler(struct ev_loop *loop, struct ev_io *io,
break;
case AUDIT_SIGNAL_INFO:
if (hup_info_requested) {
+ char hup[MAX_AUDIT_MESSAGE_LENGTH];
audit_msg(LOG_DEBUG,
"HUP detected, starting config manager");
reconfig_ev = cur_event;
if (start_config_manager(cur_event)) {
- send_audit_event(
- AUDIT_DAEMON_CONFIG,
- "op=reconfigure state=no-change "
- "auid=-1 pid=-1 subj=? res=failed");
+ audit_format_signal_info(hup, sizeof(hup),
+ "reconfigure state=no-change",
+ &cur_event->reply,
+ "failed");
+ send_audit_event(AUDIT_DAEMON_CONFIG, hup);
}
cur_event = NULL;
hup_info_requested = 0;
} else if (usr1_info_requested) {
char usr1[MAX_AUDIT_MESSAGE_LENGTH];
- if (cur_event->reply.len == 24) {
- snprintf(usr1, sizeof(usr1),
- "op=rotate-logs auid=-1 pid=-1 subj=?");
- } else {
- snprintf(usr1, sizeof(usr1),
- "op=rotate-logs auid=%u pid=%d subj=%s",
- cur_event->reply.signal_info->uid,
- cur_event->reply.signal_info->pid,
- cur_event->reply.signal_info->ctx);
- }
+ audit_format_signal_info(usr1, sizeof(usr1),
+ "rotate-logs",
+ &cur_event->reply,
+ "success");
send_audit_event(AUDIT_DAEMON_ROTATE, usr1);
usr1_info_requested = 0;
} else if (usr2_info_requested) {
char usr2[MAX_AUDIT_MESSAGE_LENGTH];
- if (cur_event->reply.len == 24) {
- snprintf(usr2, sizeof(usr2),
- "op=resume-logging auid=-1 "
- "pid=-1 subj=? res=success");
- } else {
- snprintf(usr2, sizeof(usr2),
- "op=resume-logging "
- "auid=%u pid=%d subj=%s res=success",
- cur_event->reply.signal_info->uid,
- cur_event->reply.signal_info->pid,
- cur_event->reply.signal_info->ctx);
- }
+ audit_format_signal_info(usr2, sizeof(usr2),
+ "resume-logging",
+ &cur_event->reply,
+ "success");
resume_logging();
libdisp_resume();
send_audit_event(AUDIT_DAEMON_RESUME, usr2);
@@ -993,18 +981,14 @@ int main(int argc, char *argv[])
rc = get_reply(fd, &trep, rc);
if (rc > 0) {
char txt[MAX_AUDIT_MESSAGE_LENGTH];
- snprintf(txt, sizeof(txt),
- "op=terminate auid=%u "
- "pid=%d subj=%s res=success",
- trep.signal_info->uid,
- trep.signal_info->pid,
- trep.signal_info->ctx);
+ audit_format_signal_info(txt, sizeof(txt), "terminate",
+ &trep, "success");
send_audit_event(AUDIT_DAEMON_END, txt);
}
}
if (rc <= 0)
send_audit_event(AUDIT_DAEMON_END,
- "op=terminate auid=-1 pid=-1 subj=? res=success");
+ "op=terminate auid=-1 pid=-1 subj=? res=failed");
free(cur_event);
// Tear down IO watchers Part 2
--
1.8.3.1
^ permalink raw reply related [flat|nested] 3+ messages in thread
* Re: [PATCH ghau90 v2] sig_info: use standard template for log messages
2019-05-10 16:21 [PATCH ghau90 v2] sig_info: use standard template for log messages Richard Guy Briggs
@ 2019-05-15 18:39 ` Steve Grubb
2019-05-15 19:02 ` Richard Guy Briggs
0 siblings, 1 reply; 3+ messages in thread
From: Steve Grubb @ 2019-05-15 18:39 UTC (permalink / raw)
To: Richard Guy Briggs; +Cc: Linux-Audit Mailing List
On Friday, May 10, 2019 12:21:57 PM EDT Richard Guy Briggs wrote:
> Records that are triggered by an AUDIT_SIGNAL_INFO message including
> AUDIT_DAEMON_CONFIG (HUP), AUDIT_DAEMON_ROTATE (USR1),
> AUDIT_DAEMON_RESUME (USR2) and AUDIT_DAEMON_END (TERM) have inconsistent
> reporting of signal info and swinging field "state".
>
> They also assume that an empty security context implies there is no
> other useful information in the AUDIT_SIGNAL_INFO message so don't use
> the information that is there.
>
> Normalize AUDIT_DAEMON_CONFIG to use the value "reconfigure" and add the
> "state" field where missing.
>
> Use audit_sig_info values when available, not making assumptions about
> their availability when the security context is absent.
>
> See: https://github.com/linux-audit/audit-userspace/issues/90
This was applied with some fixes. I don't know why ':' was introduced in one
event. But we've been trying to get rid of non-meaningful text. Also, there
were 2 places where a success result was switched to a fail. These were fixed
back.
-Steve
> Signed-off-by: Richard Guy Briggs <rgb@redhat.com>
> ---
> Changelog:
> v2:
> - omit subj= if selinux unavailable
> - add missing colon to daemon_config
>
> docs/audit_request_signal_info.3 | 2 +-
> lib/libaudit.c | 12 +++++++++
> lib/libaudit.h | 1 +
> src/auditd-event.c | 2 +-
> src/auditd-reconfig.c | 9 +++----
> src/auditd.c | 56
> ++++++++++++++-------------------------- 6 files changed, 38
> insertions(+), 44 deletions(-)
>
> diff --git a/docs/audit_request_signal_info.3
> b/docs/audit_request_signal_info.3 index 873deb58bef3..b68d7bbefeed 100644
> --- a/docs/audit_request_signal_info.3
> +++ b/docs/audit_request_signal_info.3
> @@ -8,7 +8,7 @@ int audit_request_signal_info(int fd);
>
> .SH "DESCRIPTION"
>
> -audit_request_signal_info requests that the kernel send information about
> the sender of a signal to the audit daemon. The sinal info structure is as
> follows: +audit_request_signal_info requests that the kernel send
> information about the sender of a signal to the audit daemon. The signal
> info structure is as follows:
>
> .nf
> struct audit_sig_info {
> diff --git a/lib/libaudit.c b/lib/libaudit.c
> index 2af017a0e520..e695791f9243 100644
> --- a/lib/libaudit.c
> +++ b/lib/libaudit.c
> @@ -674,6 +674,18 @@ int audit_request_signal_info(int fd)
> return rc;
> }
>
> +char *audit_format_signal_info(char *buf, int len, char *op, struct
> audit_reply *rep, char *res) +{
> + if (rep->len == 24)
> + snprintf(buf, len, "op=%s auid=%u pid=%d res=%s", op,
> + rep->signal_info->uid, rep->signal_info->pid, res);
> + else
> + snprintf(buf, len, "op=%s auid=%u pid=%d subj=%s res=%s",
> + op, rep->signal_info->uid, rep->signal_info->pid,
> + rep->signal_info->ctx, res);
> + return buf;
> +}
> +
> int audit_update_watch_perms(struct audit_rule_data *rule, int perms)
> {
> unsigned int i, done=0;
> diff --git a/lib/libaudit.h b/lib/libaudit.h
> index 77e4142beea2..36ea8bc04e8a 100644
> --- a/lib/libaudit.h
> +++ b/lib/libaudit.h
> @@ -573,6 +573,7 @@ extern int audit_setloginuid(uid_t uid);
> extern uint32_t audit_get_session(void);
> extern int audit_detect_machine(void);
> extern int audit_determine_machine(const char *arch);
> +extern char *audit_format_signal_info(char *buf, int len, char *op, struct
> audit_reply *rep, char *res);
>
> /* Translation functions */
> extern int audit_name_to_field(const char *field);
> diff --git a/src/auditd-event.c b/src/auditd-event.c
> index ef2828d8df94..2970aba44456 100644
> --- a/src/auditd-event.c
> +++ b/src/auditd-event.c
> @@ -1572,7 +1572,7 @@ static void reconfigure(struct auditd_event *e)
>
> e->reply.type = AUDIT_DAEMON_CONFIG;
> e->reply.len = snprintf(e->reply.msg.data,
MAX_AUDIT_MESSAGE_LENGTH-2,
> - "%s op=reconfigure state=changed auid=%u pid=%d subj=%s res=success",
> + "%s : op=reconfigure state=changed auid=%u pid=%d subj=%s res=success",
> date, uid, pid, ctx );
> e->reply.message = e->reply.msg.data;
> free((char *)ctx);
> diff --git a/src/auditd-reconfig.c b/src/auditd-reconfig.c
> index a03e29aa57ab..f5b00e6d1dc7 100644
> --- a/src/auditd-reconfig.c
> +++ b/src/auditd-reconfig.c
> @@ -115,12 +115,9 @@ static void *config_thread_main(void *arg)
> } else {
> // need to send a failed event message
> char txt[MAX_AUDIT_MESSAGE_LENGTH];
> - snprintf(txt, sizeof(txt),
> - "op=reconfigure state=no-change auid=%u pid=%d subj=%s
res=failed",
> - e->reply.signal_info->uid,
> - e->reply.signal_info->pid,
> - (e->reply.len > 24) ?
> - e->reply.signal_info->ctx : "?");
> + audit_format_signal_info(txt, sizeof(txt),
> + "reconfigure state=no-change",
> + &e->reply, "failed");
> // FIXME: need to figure out sending this
> //send_audit_event(AUDIT_DAEMON_CONFIG, txt);
> free_config(&new_config);
> diff --git a/src/auditd.c b/src/auditd.c
> index c04a1c9ce93f..63404b25fbc5 100644
> --- a/src/auditd.c
> +++ b/src/auditd.c
> @@ -131,7 +131,7 @@ static void hup_handler( struct ev_loop *loop, struct
> ev_signal *sig, int revent rc = audit_request_signal_info(fd);
> if (rc < 0)
> send_audit_event(AUDIT_DAEMON_CONFIG,
> - "op=hup-info state=request-siginfo auid=-1 pid=-1 subj=?
res=failed");
> + "op=reconfigure state=no-change auid=-1 pid=-1 subj=? res=failed");
> else
> hup_info_requested = 1;
> }
> @@ -147,7 +147,7 @@ static void user1_handler(struct ev_loop *loop, struct
> ev_signal *sig, rc = audit_request_signal_info(fd);
> if (rc < 0)
> send_audit_event(AUDIT_DAEMON_ROTATE,
> - "op=usr1-info auid=-1 pid=-1 subj=? res=failed");
> + "op=rotate-logs auid=-1 pid=-1 subj=? res=failed");
> else
> usr1_info_requested = 1;
> }
> @@ -163,7 +163,7 @@ static void user2_handler( struct ev_loop *loop, struct
> ev_signal *sig, int reve if (rc < 0) {
> resume_logging();
> send_audit_event(AUDIT_DAEMON_RESUME,
> - "op=resume-logging auid=-1 pid=-1 subj=?
res=success");
> + "op=resume-logging auid=-1 pid=-1 subj=? res=failed");
> } else
> usr2_info_requested = 1;
> }
> @@ -515,45 +515,33 @@ static void netlink_handler(struct ev_loop *loop,
> struct ev_io *io, break;
> case AUDIT_SIGNAL_INFO:
> if (hup_info_requested) {
> + char hup[MAX_AUDIT_MESSAGE_LENGTH];
> audit_msg(LOG_DEBUG,
> "HUP detected, starting config manager");
> reconfig_ev = cur_event;
> if (start_config_manager(cur_event)) {
> - send_audit_event(
> - AUDIT_DAEMON_CONFIG,
> - "op=reconfigure state=no-change "
> - "auid=-1 pid=-1 subj=? res=failed");
> + audit_format_signal_info(hup, sizeof(hup),
> + "reconfigure
state=no-change",
> + &cur_event->reply,
> + "failed");
> + send_audit_event(AUDIT_DAEMON_CONFIG,
hup);
> }
> cur_event = NULL;
> hup_info_requested = 0;
> } else if (usr1_info_requested) {
> char usr1[MAX_AUDIT_MESSAGE_LENGTH];
> - if (cur_event->reply.len == 24) {
> - snprintf(usr1, sizeof(usr1),
> - "op=rotate-logs auid=-1 pid=-1 subj=?");
> - } else {
> - snprintf(usr1, sizeof(usr1),
> - "op=rotate-logs auid=%u pid=%d subj=%s",
> - cur_event->reply.signal_info->uid,
> - cur_event->reply.signal_info->pid,
> - cur_event->reply.signal_info->ctx);
> - }
> + audit_format_signal_info(usr1, sizeof(usr1),
> + "rotate-logs",
> + &cur_event->reply,
> + "success");
> send_audit_event(AUDIT_DAEMON_ROTATE, usr1);
> usr1_info_requested = 0;
> } else if (usr2_info_requested) {
> char usr2[MAX_AUDIT_MESSAGE_LENGTH];
> - if (cur_event->reply.len == 24) {
> - snprintf(usr2, sizeof(usr2),
> - "op=resume-logging auid=-1 "
> - "pid=-1 subj=? res=success");
> - } else {
> - snprintf(usr2, sizeof(usr2),
> - "op=resume-logging "
> - "auid=%u pid=%d subj=%s res=success",
> - cur_event->reply.signal_info->uid,
> - cur_event->reply.signal_info->pid,
> - cur_event->reply.signal_info->ctx);
> - }
> + audit_format_signal_info(usr2, sizeof(usr2),
> + "resume-logging",
> + &cur_event->reply,
> + "success");
> resume_logging();
> libdisp_resume();
> send_audit_event(AUDIT_DAEMON_RESUME, usr2);
> @@ -993,18 +981,14 @@ int main(int argc, char *argv[])
> rc = get_reply(fd, &trep, rc);
> if (rc > 0) {
> char txt[MAX_AUDIT_MESSAGE_LENGTH];
> - snprintf(txt, sizeof(txt),
> - "op=terminate auid=%u "
> - "pid=%d subj=%s res=success",
> - trep.signal_info->uid,
> - trep.signal_info->pid,
> - trep.signal_info->ctx);
> + audit_format_signal_info(txt, sizeof(txt), "terminate",
> + &trep, "success");
> send_audit_event(AUDIT_DAEMON_END, txt);
> }
> }
> if (rc <= 0)
> send_audit_event(AUDIT_DAEMON_END,
> - "op=terminate auid=-1 pid=-1 subj=? res=success");
> + "op=terminate auid=-1 pid=-1 subj=? res=failed");
> free(cur_event);
>
> // Tear down IO watchers Part 2
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [PATCH ghau90 v2] sig_info: use standard template for log messages
2019-05-15 18:39 ` Steve Grubb
@ 2019-05-15 19:02 ` Richard Guy Briggs
0 siblings, 0 replies; 3+ messages in thread
From: Richard Guy Briggs @ 2019-05-15 19:02 UTC (permalink / raw)
To: Steve Grubb; +Cc: Linux-Audit Mailing List
On 2019-05-15 14:39, Steve Grubb wrote:
> On Friday, May 10, 2019 12:21:57 PM EDT Richard Guy Briggs wrote:
> > Records that are triggered by an AUDIT_SIGNAL_INFO message including
> > AUDIT_DAEMON_CONFIG (HUP), AUDIT_DAEMON_ROTATE (USR1),
> > AUDIT_DAEMON_RESUME (USR2) and AUDIT_DAEMON_END (TERM) have inconsistent
> > reporting of signal info and swinging field "state".
> >
> > They also assume that an empty security context implies there is no
> > other useful information in the AUDIT_SIGNAL_INFO message so don't use
> > the information that is there.
> >
> > Normalize AUDIT_DAEMON_CONFIG to use the value "reconfigure" and add the
> > "state" field where missing.
> >
> > Use audit_sig_info values when available, not making assumptions about
> > their availability when the security context is absent.
> >
> > See: https://github.com/linux-audit/audit-userspace/issues/90
>
> This was applied with some fixes. I don't know why ':' was introduced in one
> event. But we've been trying to get rid of non-meaningful text.
The ":" is there to normalize that record with all the others. They all
have a format of eg.:
type=CWD msg=audit(1557843567.201:126068): cwd="/"
The colon was missing after the (date:serial) before the list of fields.
> Also, there were 2 places where a success result was switched to a
> fail. These were fixed back.
I do prefer you would point out which ones in-line below and let me
submit a new patch to fix them...
> -Steve
>
> > Signed-off-by: Richard Guy Briggs <rgb@redhat.com>
> > ---
> > Changelog:
> > v2:
> > - omit subj= if selinux unavailable
> > - add missing colon to daemon_config
> >
> > docs/audit_request_signal_info.3 | 2 +-
> > lib/libaudit.c | 12 +++++++++
> > lib/libaudit.h | 1 +
> > src/auditd-event.c | 2 +-
> > src/auditd-reconfig.c | 9 +++----
> > src/auditd.c | 56
> > ++++++++++++++-------------------------- 6 files changed, 38
> > insertions(+), 44 deletions(-)
> >
> > diff --git a/docs/audit_request_signal_info.3
> > b/docs/audit_request_signal_info.3 index 873deb58bef3..b68d7bbefeed 100644
> > --- a/docs/audit_request_signal_info.3
> > +++ b/docs/audit_request_signal_info.3
> > @@ -8,7 +8,7 @@ int audit_request_signal_info(int fd);
> >
> > .SH "DESCRIPTION"
> >
> > -audit_request_signal_info requests that the kernel send information about
> > the sender of a signal to the audit daemon. The sinal info structure is as
> > follows: +audit_request_signal_info requests that the kernel send
> > information about the sender of a signal to the audit daemon. The signal
> > info structure is as follows:
> >
> > .nf
> > struct audit_sig_info {
> > diff --git a/lib/libaudit.c b/lib/libaudit.c
> > index 2af017a0e520..e695791f9243 100644
> > --- a/lib/libaudit.c
> > +++ b/lib/libaudit.c
> > @@ -674,6 +674,18 @@ int audit_request_signal_info(int fd)
> > return rc;
> > }
> >
> > +char *audit_format_signal_info(char *buf, int len, char *op, struct
> > audit_reply *rep, char *res) +{
> > + if (rep->len == 24)
> > + snprintf(buf, len, "op=%s auid=%u pid=%d res=%s", op,
> > + rep->signal_info->uid, rep->signal_info->pid, res);
> > + else
> > + snprintf(buf, len, "op=%s auid=%u pid=%d subj=%s res=%s",
> > + op, rep->signal_info->uid, rep->signal_info->pid,
> > + rep->signal_info->ctx, res);
> > + return buf;
> > +}
> > +
> > int audit_update_watch_perms(struct audit_rule_data *rule, int perms)
> > {
> > unsigned int i, done=0;
> > diff --git a/lib/libaudit.h b/lib/libaudit.h
> > index 77e4142beea2..36ea8bc04e8a 100644
> > --- a/lib/libaudit.h
> > +++ b/lib/libaudit.h
> > @@ -573,6 +573,7 @@ extern int audit_setloginuid(uid_t uid);
> > extern uint32_t audit_get_session(void);
> > extern int audit_detect_machine(void);
> > extern int audit_determine_machine(const char *arch);
> > +extern char *audit_format_signal_info(char *buf, int len, char *op, struct
> > audit_reply *rep, char *res);
> >
> > /* Translation functions */
> > extern int audit_name_to_field(const char *field);
> > diff --git a/src/auditd-event.c b/src/auditd-event.c
> > index ef2828d8df94..2970aba44456 100644
> > --- a/src/auditd-event.c
> > +++ b/src/auditd-event.c
> > @@ -1572,7 +1572,7 @@ static void reconfigure(struct auditd_event *e)
> >
> > e->reply.type = AUDIT_DAEMON_CONFIG;
> > e->reply.len = snprintf(e->reply.msg.data,
> MAX_AUDIT_MESSAGE_LENGTH-2,
> > - "%s op=reconfigure state=changed auid=%u pid=%d subj=%s res=success",
> > + "%s : op=reconfigure state=changed auid=%u pid=%d subj=%s res=success",
> > date, uid, pid, ctx );
> > e->reply.message = e->reply.msg.data;
> > free((char *)ctx);
> > diff --git a/src/auditd-reconfig.c b/src/auditd-reconfig.c
> > index a03e29aa57ab..f5b00e6d1dc7 100644
> > --- a/src/auditd-reconfig.c
> > +++ b/src/auditd-reconfig.c
> > @@ -115,12 +115,9 @@ static void *config_thread_main(void *arg)
> > } else {
> > // need to send a failed event message
> > char txt[MAX_AUDIT_MESSAGE_LENGTH];
> > - snprintf(txt, sizeof(txt),
> > - "op=reconfigure state=no-change auid=%u pid=%d subj=%s
> res=failed",
> > - e->reply.signal_info->uid,
> > - e->reply.signal_info->pid,
> > - (e->reply.len > 24) ?
> > - e->reply.signal_info->ctx : "?");
> > + audit_format_signal_info(txt, sizeof(txt),
> > + "reconfigure state=no-change",
> > + &e->reply, "failed");
> > // FIXME: need to figure out sending this
> > //send_audit_event(AUDIT_DAEMON_CONFIG, txt);
> > free_config(&new_config);
> > diff --git a/src/auditd.c b/src/auditd.c
> > index c04a1c9ce93f..63404b25fbc5 100644
> > --- a/src/auditd.c
> > +++ b/src/auditd.c
> > @@ -131,7 +131,7 @@ static void hup_handler( struct ev_loop *loop, struct
> > ev_signal *sig, int revent rc = audit_request_signal_info(fd);
> > if (rc < 0)
> > send_audit_event(AUDIT_DAEMON_CONFIG,
> > - "op=hup-info state=request-siginfo auid=-1 pid=-1 subj=?
> res=failed");
> > + "op=reconfigure state=no-change auid=-1 pid=-1 subj=? res=failed");
> > else
> > hup_info_requested = 1;
> > }
> > @@ -147,7 +147,7 @@ static void user1_handler(struct ev_loop *loop, struct
> > ev_signal *sig, rc = audit_request_signal_info(fd);
> > if (rc < 0)
> > send_audit_event(AUDIT_DAEMON_ROTATE,
> > - "op=usr1-info auid=-1 pid=-1 subj=? res=failed");
> > + "op=rotate-logs auid=-1 pid=-1 subj=? res=failed");
> > else
> > usr1_info_requested = 1;
> > }
> > @@ -163,7 +163,7 @@ static void user2_handler( struct ev_loop *loop, struct
> > ev_signal *sig, int reve if (rc < 0) {
> > resume_logging();
> > send_audit_event(AUDIT_DAEMON_RESUME,
> > - "op=resume-logging auid=-1 pid=-1 subj=?
> res=success");
> > + "op=resume-logging auid=-1 pid=-1 subj=? res=failed");
> > } else
> > usr2_info_requested = 1;
> > }
> > @@ -515,45 +515,33 @@ static void netlink_handler(struct ev_loop *loop,
> > struct ev_io *io, break;
> > case AUDIT_SIGNAL_INFO:
> > if (hup_info_requested) {
> > + char hup[MAX_AUDIT_MESSAGE_LENGTH];
> > audit_msg(LOG_DEBUG,
> > "HUP detected, starting config manager");
> > reconfig_ev = cur_event;
> > if (start_config_manager(cur_event)) {
> > - send_audit_event(
> > - AUDIT_DAEMON_CONFIG,
> > - "op=reconfigure state=no-change "
> > - "auid=-1 pid=-1 subj=? res=failed");
> > + audit_format_signal_info(hup, sizeof(hup),
> > + "reconfigure
> state=no-change",
> > + &cur_event->reply,
> > + "failed");
> > + send_audit_event(AUDIT_DAEMON_CONFIG,
> hup);
> > }
> > cur_event = NULL;
> > hup_info_requested = 0;
> > } else if (usr1_info_requested) {
> > char usr1[MAX_AUDIT_MESSAGE_LENGTH];
> > - if (cur_event->reply.len == 24) {
> > - snprintf(usr1, sizeof(usr1),
> > - "op=rotate-logs auid=-1 pid=-1 subj=?");
> > - } else {
> > - snprintf(usr1, sizeof(usr1),
> > - "op=rotate-logs auid=%u pid=%d subj=%s",
> > - cur_event->reply.signal_info->uid,
> > - cur_event->reply.signal_info->pid,
> > - cur_event->reply.signal_info->ctx);
> > - }
> > + audit_format_signal_info(usr1, sizeof(usr1),
> > + "rotate-logs",
> > + &cur_event->reply,
> > + "success");
> > send_audit_event(AUDIT_DAEMON_ROTATE, usr1);
> > usr1_info_requested = 0;
> > } else if (usr2_info_requested) {
> > char usr2[MAX_AUDIT_MESSAGE_LENGTH];
> > - if (cur_event->reply.len == 24) {
> > - snprintf(usr2, sizeof(usr2),
> > - "op=resume-logging auid=-1 "
> > - "pid=-1 subj=? res=success");
> > - } else {
> > - snprintf(usr2, sizeof(usr2),
> > - "op=resume-logging "
> > - "auid=%u pid=%d subj=%s res=success",
> > - cur_event->reply.signal_info->uid,
> > - cur_event->reply.signal_info->pid,
> > - cur_event->reply.signal_info->ctx);
> > - }
> > + audit_format_signal_info(usr2, sizeof(usr2),
> > + "resume-logging",
> > + &cur_event->reply,
> > + "success");
> > resume_logging();
> > libdisp_resume();
> > send_audit_event(AUDIT_DAEMON_RESUME, usr2);
> > @@ -993,18 +981,14 @@ int main(int argc, char *argv[])
> > rc = get_reply(fd, &trep, rc);
> > if (rc > 0) {
> > char txt[MAX_AUDIT_MESSAGE_LENGTH];
> > - snprintf(txt, sizeof(txt),
> > - "op=terminate auid=%u "
> > - "pid=%d subj=%s res=success",
> > - trep.signal_info->uid,
> > - trep.signal_info->pid,
> > - trep.signal_info->ctx);
> > + audit_format_signal_info(txt, sizeof(txt), "terminate",
> > + &trep, "success");
> > send_audit_event(AUDIT_DAEMON_END, txt);
> > }
> > }
> > if (rc <= 0)
> > send_audit_event(AUDIT_DAEMON_END,
> > - "op=terminate auid=-1 pid=-1 subj=? res=success");
> > + "op=terminate auid=-1 pid=-1 subj=? res=failed");
> > free(cur_event);
> >
> > // Tear down IO watchers Part 2
>
>
>
>
- RGB
--
Richard Guy Briggs <rgb@redhat.com>
Sr. S/W Engineer, Kernel Security, Base Operating Systems
Remote, Ottawa, Red Hat Canada
IRC: rgb, SunRaycer
Voice: +1.647.777.2635, Internal: (81) 32635
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2019-05-15 19:02 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2019-05-10 16:21 [PATCH ghau90 v2] sig_info: use standard template for log messages Richard Guy Briggs
2019-05-15 18:39 ` Steve Grubb
2019-05-15 19:02 ` Richard Guy Briggs
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.